CVE-2025-53092

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 5.20.0

Description Strapi, an open source headless content management system, has a Cross-Origin Resource Sharing (CORS) misconfiguration in default installations. The system reflects the value of the Origin header in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin and sending requests with credentials to the Strapi API. The API endpoint is vulnerable to requests with improperly validated origins.

Recommendations Versions prior to 5.20.0 should be updated to version 5.20.0 or later. Explicitly whitelist trusted origins. Avoid reflecting dynamic origins.