CVE-2024-52588

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 4.25.2

Description The issue allows an attacker to input a local domain into the Webhooks URL field, leading to a server-side request forgery (SSRF). This enables the application to fetch itself, potentially allowing an attacker to brute-force through all 65535 ports to determine which ports are open if there is a real server running Strapi with multiple ports open.

Recommendations For Strapi versions prior to 4.25.2, update to version 4.25.2 to resolve the issue. As a temporary workaround, consider restricting access to the Webhooks URL field to minimize the risk of exploitation. Avoid using local domains such as localhost, 127.0.0.1, or 0.0.0.0 in the Webhooks URL field until the issue is resolved.