CVE-2025-53092

描述

### Summary A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses. ### Technical Details By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. Example: `Origin: http://localhost:8888` `Access-Control-Allow-Origin: http://localhost:8888` `Access-Control-Allow-Credentials: true` This allows an attacker-controlled site (on a different port, like 8888) to send credentialed requests to the Strapi backend on 1337. ### Suggested Fix 1. Explicitly whitelist trusted origins 2. Avoid reflecting dynamic origins

受影響套件(1)

• npm/@strapi/corefrom 0, < 5.20.0

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53092
• PATCHhttps://github.com/strapi/strapi
• WEBhttps://github.com/strapi/strapi/commit/6e535cb756
• WEBhttps://github.com/strapi/strapi/releases/tag/v5.20.0
• WEBhttps://github.com/strapi/strapi/security/advisories/GHSA-9329-mxxw-qwf8