See on npm

@strapi/core 5.11.0

1 security vulnerability found in version 5.11.0

Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

medium severity CVE-2025-53092
medium severity CVE-2025-53092
Affected versions: < 5.20.0

Summary

A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses.

Technical Details

By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting.

Example: Origin: http://localhost:8888 Access-Control-Allow-Origin: http://localhost:8888 Access-Control-Allow-Credentials: true

This allows an attacker-controlled site (on a different port, like 8888) to send credentialed requests to the Strapi backend on 1337.

Suggested Fix

  1. Explicitly whitelist trusted origins
  2. Avoid reflecting dynamic origins

No license issues detected.

This package version has a license in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.