Improper Restriction of Excessive Authentication Attempts in strapi - CVE-2025-64526
Published: May 13, 2026
Vulnerability identifier: #VU131370
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-64526
CWE-ID: CWE-307
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: strapi.io
Affected software:
strapi
strapi
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper restriction of excessive authentication attempts in the rate-limit middleware of the users-permissions plugin when handling authentication requests on routes that do not use an email field. A remote attacker can send crafted requests with arbitrary email values to bypass per-IP throttling and cause a denial of service.
The issue affects /auth/local, /auth/reset-password, and /auth/change-password, where the middleware derives part of the rate-limit key from an attacker-controlled email field that is outside the route contract.
How to mitigate CVE-2025-64526
Install security update from vendor's website.