Description

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.

INFO

Published Date :

2025-10-16T16:07:30.996Z

Last Modified :

2025-10-16T17:54:24.103Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-56143 vulnerability.

Vendors Products
Strapi
  • Strapi
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-56143.

URL Resource
https://github.com/strapi/strapi/commit/0c6e0953ae1e62afae9329de7ae6d6a5e21b95b8 cve-icon cve-icon
https://github.com/strapi/strapi/security/advisories/GHSA-495j-h493-42q2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact