CVE-2025-53092

Summary

A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses.

Technical Details

By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting.

Example: Origin: http://localhost:8888 Access-Control-Allow-Origin: http://localhost:8888 Access-Control-Allow-Credentials: true

This allows an attacker-controlled site (on a different port, like 8888) to send credentialed requests to the Strapi backend on 1337.

Suggested Fix

Explicitly whitelist trusted origins
Avoid reflecting dynamic origins

Published: Oct 16, 2025
Updated: Oct 17, 2025
CVE: CVE-2025-53092
GHSA: GHSA-9329-mxxw-qwf8
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWEs:

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
@strapi / core	-	5.20.0

Vulnerability Database

CVE-2025-53092

Summary

Technical Details

Suggested Fix

Deep Security Visibility Without the Complexity