Skip to content

Strapi allows Server-Side Request Forgery in Webhook function

Moderate severity GitHub Reviewed Published May 27, 2025 in strapi/strapi • Updated May 27, 2025

Package

npm @strapi/admin (npm)

Affected versions

< 4.25.2

Patched versions

4.25.2

Description

Description

In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,.... in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).

Payloads

  • http://127.0.0.1:80 -> The Port is not open
  • http://127.0.0.1:1337 -> The Port which Strapi is running on

Steps to Reproduce

  • First of all, let's input the URL http://127.0.0.1:80 into the URL field, and click "Save".

CleanShot 2024-06-04 at 22 45 17@2x

  • Next, use the "Trigger" function and use Burp Suite to capture the request / response

CleanShot 2024-06-04 at 22 47 50@2x

  • The server return request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80, BECAUSE the Port 80 is not open, since we are running Strapi on Port 1337, let's change the URL we input above into http://127.0.0.1:1337

CleanShot 2024-06-04 at 22 50 13@2x

  • Continue to click the "Trigger" function, use Burp to capture the request / response

CleanShot 2024-06-04 at 22 53 25@2x

  • The server returns Method Not Allowed, which means that there actually is a Port 1337 running the machine.

PoC

Here is the Poc Video, please check:

https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing

Impact

  • If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.

References

@derrickmehaffy derrickmehaffy published to strapi/strapi May 27, 2025
Published to the GitHub Advisory Database May 27, 2025
Reviewed May 27, 2025
Last updated May 27, 2025

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

CVE ID

CVE-2024-52588

GHSA ID

GHSA-v8wj-f5c7-pvxf

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.