cve-2024-52588
Vulnerability from cvelistv5
Published
2025-05-29 09:02
Modified
2025-05-29 13:44
Severity ?
EPSS score ?
Summary
Strapi allows Server-Side Request Forgery in Webhook function
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf | Exploit, Vendor Advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52588",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T13:44:22.019270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T13:44:40.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "strapi",
"vendor": "strapi",
"versions": [
{
"status": "affected",
"version": "\u003c 4.25.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T09:02:15.144Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf"
}
],
"source": {
"advisory": "GHSA-v8wj-f5c7-pvxf",
"discovery": "UNKNOWN"
},
"title": "Strapi allows Server-Side Request Forgery in Webhook function"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52588",
"datePublished": "2025-05-29T09:02:15.144Z",
"dateReserved": "2024-11-14T15:05:46.766Z",
"dateUpdated": "2025-05-29T13:44:40.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-52588\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-29T09:15:25.350\",\"lastModified\":\"2025-06-24T18:27:42.593\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2.\"},{\"lang\":\"es\",\"value\":\"Strapi es un sistema de gesti\u00f3n de contenido de c\u00f3digo abierto. Antes de la versi\u00f3n 4.25.2, introducir un dominio local en el campo URL de Webhooks provocaba que la aplicaci\u00f3n se recuperara a s\u00ed misma, lo que resultaba en un server side request forgery (SSRF). Este problema se ha corregido en la versi\u00f3n 4.25.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.25.2\",\"matchCriteriaId\":\"128D5142-48F9-4B17-8D63-AEE69B8D1F41\"}]}]}],\"references\":[{\"url\":\"https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
}
}
ghsa-v8wj-f5c7-pvxf
Vulnerability from github
Published
2025-05-27 17:59
Modified
2025-05-29 21:03
Severity ?
Summary
Strapi allows Server-Side Request Forgery in Webhook function
Details
Description
In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,.... in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).
Payloads
http://127.0.0.1:80->The Port is not openhttp://127.0.0.1:1337->The Port which Strapi is running on
Steps to Reproduce
- First of all, let's input the URL
http://127.0.0.1:80into theURLfield, and click "Save".
- Next, use the "Trigger" function and use Burp Suite to capture the request / response
- The server return
request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80, BECAUSE thePort 80is not open, since we are running Strapi onPort 1337, let's change the URL we input above intohttp://127.0.0.1:1337
- Continue to click the "Trigger" function, use Burp to capture the request / response
- The server returns
Method Not Allowed, which means that there actually is aPort 1337running the machine.
PoC
Here is the Poc Video, please check:
https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing
Impact
- If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@strapi/admin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.25.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52588"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-27T17:59:52Z",
"nvd_published_at": "2025-05-29T09:15:25Z",
"severity": "MODERATE"
},
"details": "## Description\nIn Strapi latest version, at function Settings -\u003e Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`.\n\n\n## Payloads\n- `http://127.0.0.1:80` -\u003e `The Port is not open`\n- `http://127.0.0.1:1337` -\u003e `The Port which Strapi is running on`\n\n\n## Steps to Reproduce\n- First of all, let\u0027s input the URL `http://127.0.0.1:80` into the `URL` field, and click \"Save\".\n\n\n\n\n\n- Next, use the \"Trigger\" function and use Burp Suite to capture the request / response\n\n\n\n\n\n- The server return `request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80`, BECAUSE the `Port 80` is not open, since we are running Strapi on `Port 1337`, let\u0027s change the URL we input above into `http://127.0.0.1:1337`\n\n\n\n\n\n- Continue to click the \"Trigger\" function, use Burp to capture the request / response\n\n\n\n\n\n- The server returns `Method Not Allowed`, which means that there actually is a `Port 1337` running the machine.\n\n\n## PoC\nHere is the Poc Video, please check: \n\nhttps://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing\n\n## Impact\n\n- If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.",
"id": "GHSA-v8wj-f5c7-pvxf",
"modified": "2025-05-29T21:03:02Z",
"published": "2025-05-27T17:59:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52588"
},
{
"type": "PACKAGE",
"url": "https://github.com/strapi/strapi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Strapi allows Server-Side Request Forgery in Webhook function"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.