✨ Strapi MCP is now Generally Available - let your agents manage your Strapi content ✨

Security & Privacy8 min read

Security Disclosure of Vulnerabilities: CVE-2024-31217, CVE-2024-29181, and CVE-2024-34065 for June 2024

June 12, 2024Updated on July 1, 2026
Security Disclosure of Vulnerabilities for June

Disclosure Summary

Thanks to several community members, we have been notified and patched three security vulnerabilities:

Per our security policy, we are performing our due diligence by publicly disclosing these vulnerabilities after careful testing, validation, communication, and our mandatory waiting period. For further details of the patched vulnerabilities, please refer to the information below or consult the linked GitHub Advisories.

We would like to thank the following community members for their participation in our security program:

Immediate resolution steps for all vulnerabilities disclosed here

To immediately resolve all vulnerabilities detailed in this post, please update all of your Strapi packages to version v4.24.2.

CVE-2024-31217: Denial-of-Service via Improper Exception Handling

Summary of CVE-2024-31217 Vulnerability Details

  • CVE: CVE-2024-31217
  • CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
  • Affected Versions: <=4.21.0
  • How to Patch: Immediately update your Strapi to version >=4.22.0

Description of CVE-2024-31217

A Denial-of-Service was found in the media upload process causing the server to crash without restarting, affecting either development and production environments.

Using Specifically crafted requests, a user with the proper permissions to upload assets to a Strapi project could inject a null character within the file-path leading to an unhandled exception and causing the Strapi instance to crash.

IoC's for CVE-2024-31217

Due to the nature of this vulnerability and the fact file paths are not logged by default in the Strapi Server logs, the only way to detect this vulnerability is if you see odd crashes of the application with a similar stack trace as the following:

[2024-03-22 10:23:42.629] http: POST /upload (22 ms) 400
node:internal/fs/utils:379
  const err = new ERR_INVALID_ARG_VALUE(
              ^

TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string, Uint8Array, or URL without null bytes. Received '/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/public/uploads/replaceme_png_88efe6a165.png\x00'
    at new WriteStream (node:internal/fs/streams:340:5)
    at Object.createWriteStream (node:fs:3123:10)
    at /mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:71:33
    at new Promise (<anonymous>)
    at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:68:16)
    at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/register.js:80:35)
    at Object.upload (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/provider.js:16:46)
    at Object.uploadImage (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/upload.js:220:48) {
  code: 'ERR_INVALID_ARG_VALUE'
}

Timeline for CVE-2024-31217

TimeEvent
2024/02/14 02:39am GMTReport of the vulnerability received by the Strapi Security Team
2024/02/14 03:24pm GMTStrapi Security Team acknowledged the report and began investigating
2024/03/22 05:26pm GMTVulnerability report was accepted by the Strapi Team
2024/03/22 05:49pm GMTInternal reproduction sent to Strapi Engineering Team to review
2024/03/22 06:05pm GMTInternal Patch Development started
2024/03/25 09:16pm GMTInitial draft patch completed and experimental created for patch validation
2024/03/26 05:44pm GMTDetection of an additional issue was found and reproduction shared to Strapi Engineering Team
2024/03/26 09:12pm GMTNew patch issued and experimental created for patch validation
2024/04/04 05:15pm GMTPatch was merged and released in Strapi v4.22.0 and warning was included in patch notes
2024/04/04 06:09pm GMTGitHub issued CVE-2024-31217 per our request
2023/04/05 04:32pm GMTDisclosure communication placed on hold due to internal requirements and other vulnerability work being performed
2024/06/03 05:26pm GMTInitial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts
2024/06/03 12:00pm GMTMandatory waiting period of 2 weeks initiated
2024/06/12 02:00pm GMTReleased the full disclosure of the vulnerability and published GitHub Advisories
2024/06/12 04:00pm GMTDisclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts

CVE-2024-29181: Leaking data via relations via the Admin Panel

Summary of CVE-2024-29181 Vulnerability Details

  • CVE: CVE-2024-29181
  • CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
  • Affected Versions: <=4.19.0
  • How to Patch: Immediately update your Strapi to version >=4.19.1

Description of CVE-2024-29181

CVE-2024-29181 is a low severity vulnerability in the Strapi framework, with a CVSS score 2.3. This vulnerability stems from lax RBAC access control on fields that render lists of relations. This vulnerability does not require steps to be exploitable but instead relies on the possibility that a non-super admin user without the privileges to read the related data can see said data in the content manager's create and edit pages. However, a likely attack vector would be unauthorized access to information, the severity of which would depend on what the display field of the list item has been mapped to. For instance, mapping related entities to uuid-v4 strings wouldn't immediately pose a threat, but mapping it to either an email or primary key id could result in an enumeration based attack.

IoC's for CVE-2024-29181

Due to the nature of this vulnerability, there are no other indicators of compromise.

Timeline for CVE-2024-29181

The timeline for this vulnerability is a bit shorter as we only noticed the report after the vulnerability was fixed while fixing another related bug. We are still communicating and disclosing this vulnerability as part of our process.

TimeEvent
2023/09/01 19:51pm GMTReport of the vulnerability received by the Strapi Security Team
2024/01/31 01:58pm GMTA release was made that patched the vulnerability before the vulnerability report was accepted
2024/01/31 01:58pm GMTPatch was released in Strapi version v4.19.1
2024/03/21 06:39pm GMTVulnerability report was accepted by the Strapi Team
2024/03/21 08:00pm GMTGitHub issued 2024-29181 per our request
2024/03/21 09:00pm GMTPrevious patch validated that it resolved the vulnerability, rest of process expedited retroactively
2023/04/05 04:32pm GMTDisclosure communication placed on hold due to internal requirements and other vulnerability work being performed
2024/06/03 05:26pm GMTInitial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts
2024/06/03 12:00pm GMTMandatory waiting period of 2 weeks initiated
2024/06/12 02:00pm GMTReleased the full disclosure of the vulnerability and published GitHub Advisories
2024/06/12 04:00pm GMTDisclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts

CVE-2024-34065: 3rd party token leak and authentication bypass

Summary of CVE-2024-34065 Vulnerability Details

  • CVE: CVE-2024-34065
  • CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
  • Affected Versions: <= 4.24.1
  • How to Patch: Immediately update your Strapi to version >=4.24.2

Description of CVE-2024-34065

CVE-2024-34065 is a high-severity vulnerability in the Strapi framework, with a CVSS score of 7.1. This vulnerability results from the combination of an Open Redirect and the transmission of session tokens via URL query parameters. Exploiting this vulnerability allows unauthenticated attackers to bypass authentication mechanisms and obtain third-party tokens, potentially leading to unauthorized access to the affected application. A likely attack vector involves a phishing scenario, where attackers trick users into clicking a malicious link, thereby redirecting them to an external domain and capturing their session tokens. The attack requires low complexity and no privileges, though it does require user interaction (a single click).

Special note, this vulnerability will only impact 3rd party providers as part of the users-permissions plugin and only if those providers do not have strict callback/redirect URI validation on the provider side. This does not impact the Strapi Admin panel SSO as all of those providers generally have strict callback/redirect URI validation already.

IoC's for CVE-2024-34065

Using the following regex pattern (replacing your specific provider, in this case showing Discord): ^\[[0-9:-\. ]+\] http: GET \/api\/connect\/discord\/callback\?=.+$ carefully review your logs for any callback address that is not what you have configured.

For example: [2024-05-30 14:27:22.268] http: GET /api/connect/discord/callback?=https://strapi.io

If you detect that this has been used against you, you should immediately update and change your JWT secret. You can find the JWT secret in your .env file or configured as an environment variable called: JWT_SECRET

Timeline for CVE-2024-34065

TimeEvent
2024/02/16 07:51pm GMTReport of the vulnerability received by the Strapi Security Team
2024/03/22 10:15pm GMTStrapi Security Team acknowledged the report and began investigating
2024/03/26 10:47pm GMTDecided with reporter not to split this report into two separate reports
2024/04/25 03:18pm GMTVulnerability report was accepted by the Strapi Team
2024/04/02 03:07pm GMTAn experimental release was made with the changes communicated previously for testing
2024/05/03 10:00am GMTGitHub issued CVE-2024-34065 per our request
2024/05/08 02:18pm GMTPatch was released in Strapi version v4.24.2
2023/04/05 04:32pm GMTDisclosure communication placed on hold due to internal requirements and other vulnerability work being performed
2024/06/03 05:26pm GMTInitial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts
2024/06/03 12:00pm GMTMandatory waiting period of 2 weeks initiated
2024/06/12 02:00pm GMTReleased the full disclosure of the vulnerability and published GitHub Advisories
2024/06/12 04:00pm GMTDisclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts

Commitment to Responsible Disclosure

We at Strapi do believe in responsible disclosure. In the case of these vulnerabilities, we have worked with the security researcher to ensure that the vulnerabilities were patched before the full disclosure of the vulnerabilities. Once a vulnerability is patched, we added a notice to our release notes to inform users there was a security vulnerability but initially wanted to delay detailed disclosure for a few weeks to give time for users to upgrade before the release of the full disclosure. As an additional step, we immediately notified our customers via several emails beforehand to ensure they were aware of the vulnerabilities and to upgrade their Strapi servers.

In this case, we believe that delaying the detailed disclosure was important to ensure that users had the time required to upgrade their Strapi servers before making the details of each vulnerability public, thus placing that information in the hands of bad actors. We also believe that the security researcher was very professional and responsible in handling the vulnerabilities, and we are very thankful for their work in helping us improve the security of Strapi.

We urge anyone who believes they have discovered a security vulnerability to assist us in responsibly disclosing the vulnerability to us by submitting a GitHub Advisory on our main repo or by contacting our security team via security@strapi.io.

Thanks,

The Strapi Security Team

Derrick Mehaffy Support Engineer Team Lead
Security & Privacy·10 min read

Security Disclosure of Vulnerabilities: CVE-2023-36472, CVE-2023-38507, CVE-2023-37263, and CVE-2023-39345

This article details and discloses four security vulnerabilities and recommends immediate upgrading to fix them.

·September 13, 2023
API security
Security & PrivacyBeginner·11 min read

Best Practices of API Security in Strapi

Learn about the best practices for API security in Strapi to protect your data from potential threats and vulnerabilities.

·August 9, 2023
Security Disclosure of Vulnerabilities_ CVE-2023-34235 and CVE-2023-34093
Security & Privacy·6 min read

Security Disclosure of Vulnerabilities: CVE-2023-34235 and CVE-2023-34093

This article details and discloses two security vulnerabilities and recommends immediate upgrading to fix them.

·July 25, 2023