CVE-2024-56143

Summary

It's possible to access any private fields by filtering through the lookup parameters

Details

Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields.

PoC

Create a strapi app.
Create a content-type
In the content-type you make a new entry
Go back to the list view
Add &lookup[updatedBy][password][$startsWith]=$2 to the end of your url (All passwords start with $2) see that all entries are still there
Add &lookup[updatedBy][password][$startsWith]=$3 see the entry disappear proving that the search above works

Impact

An attacker can perform filtering attacks on everything related to the object, including admin passwords and reset-tokens. This means that they can gain full access to the strapi instance.

Published: Oct 16, 2025
Updated: Oct 17, 2025
CVE: CVE-2024-56143
GHSA: GHSA-495j-h493-42q2
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWEs:

CWE-639

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
@strapi / core	5.0.0	5.5.2

Vulnerability Database

CVE-2024-56143

Summary

Details

PoC

Impact

Deep Security Visibility Without the Complexity