CVE-2025-64526

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 5.45.0

Description The rate-limit middleware in the users-permissions plugin incorrectly derives its rate-limit key using ctx.request.body.email, even on routes where the body schema does not require an email field, such as '/auth/local', '/auth/reset-password', and '/auth/change-password'. An unauthenticated attacker can include an arbitrary email value in the request body to generate a unique rate-limit key for every request. This allows the attacker to bypass per-IP throttling, enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attacks. The rate-limit key is constructed as ${userIdentifier}:${requestPath}:${ctx.request.ip}, where userIdentifier is mapped to ctx.request.body.email. While this is correct for routes like '/auth/forgot-password' and '/auth/local/register', it is flawed for routes using other identifiers such as identifier for login, code for password reset, or currentPassword for password change.

Recommendations Update Strapi to version 5.45.0 or later.