ghsa-v8wj-f5c7-pvxf
Vulnerability from github
Published
2025-05-27 17:59
Modified
2025-05-29 21:03
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
Strapi allows Server-Side Request Forgery in Webhook function
Details

Description

In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,.... in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).

Payloads

  • http://127.0.0.1:80 -> The Port is not open
  • http://127.0.0.1:1337 -> The Port which Strapi is running on

Steps to Reproduce

  • First of all, let's input the URL http://127.0.0.1:80 into the URL field, and click "Save".

CleanShot 2024-06-04 at 22 45 17@2x

  • Next, use the "Trigger" function and use Burp Suite to capture the request / response

CleanShot 2024-06-04 at 22 47 50@2x

  • The server return request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80, BECAUSE the Port 80 is not open, since we are running Strapi on Port 1337, let's change the URL we input above into http://127.0.0.1:1337

CleanShot 2024-06-04 at 22 50 13@2x

  • Continue to click the "Trigger" function, use Burp to capture the request / response

CleanShot 2024-06-04 at 22 53 25@2x

  • The server returns Method Not Allowed, which means that there actually is a Port 1337 running the machine.

PoC

Here is the Poc Video, please check:

https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing

Impact

  • If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.25.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-27T17:59:52Z",
    "nvd_published_at": "2025-05-29T09:15:25Z",
    "severity": "MODERATE"
  },
  "details": "## Description\nIn Strapi latest version, at function Settings -\u003e Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`.\n\n\n## Payloads\n- `http://127.0.0.1:80` -\u003e `The Port is not open`\n- `http://127.0.0.1:1337` -\u003e `The Port which Strapi is running on`\n\n\n## Steps to Reproduce\n- First of all, let\u0027s input the URL `http://127.0.0.1:80` into the `URL` field, and click \"Save\".\n\n\n![CleanShot 2024-06-04 at 22 45 17@2x](https://github.com/strapi/strapi/assets/71650574/7336b817-cb61-41e6-9b3f-87151d8667e9)\n\n\n- Next, use the \"Trigger\" function and use Burp Suite to capture the request / response\n\n\n![CleanShot 2024-06-04 at 22 47 50@2x](https://github.com/strapi/strapi/assets/71650574/659f1bbe-6b03-456c-a9c2-5187fca20dd6)\n\n\n- The server return `request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80`, BECAUSE the `Port 80` is not open, since we are running Strapi on `Port 1337`, let\u0027s change the URL we input above into `http://127.0.0.1:1337`\n\n\n![CleanShot 2024-06-04 at 22 50 13@2x](https://github.com/strapi/strapi/assets/71650574/a7916c86-1923-49ed-bd43-a70fa00d41e9)\n\n\n- Continue to click the \"Trigger\" function, use Burp to capture the request / response\n\n\n![CleanShot 2024-06-04 at 22 53 25@2x](https://github.com/strapi/strapi/assets/71650574/6fc51bb7-5a66-4b2b-b24f-2eba45ba1db9)\n\n\n- The server returns `Method Not Allowed`, which means that there actually is a `Port 1337` running the machine.\n\n\n## PoC\nHere is the Poc Video, please check: \n\nhttps://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing\n\n## Impact\n\n- If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.",
  "id": "GHSA-v8wj-f5c7-pvxf",
  "modified": "2025-05-29T21:03:02Z",
  "published": "2025-05-27T17:59:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52588"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Strapi allows Server-Side Request Forgery in Webhook function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.