SB2026042377 - Overly permissive cross-domain whitelist in strapi

Description

This security bulletin contains information about 1 vulnerability.

1) Overly permissive cross-domain whitelist (CVE-ID: CVE-2025-53092)

CWE-ID: CWE-942 - Overly Permissive Cross-domain Whitelist

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to permissive cross-domain security policy with untrusted domains in the CORS handling of @strapi/core when handling cross-origin requests. A remote attacker can host an attacker-controlled origin and send credentialed requests to disclose sensitive information.

Default installations reflect the Origin header in the Access-Control-Allow-Origin response header and allow credentials in cross-origin responses.

Remediation

Install update from vendor's website.

References

• https://github.com/strapi/strapi/security/advisories/GHSA-9329-mxxw-qwf8
• https://github.com/advisories/GHSA-9329-mxxw-qwf8