Introduction
Attackers can extract admin credentials and reset tokens from Strapi deployments by abusing a flaw in the document service lookup operator. This vulnerability impacts organizations running Strapi 5.0.0 through 5.5.1, exposing sensitive data that should remain inaccessible via API queries.
Strapi is a widely used open source headless content management system that powers thousands of web applications and APIs globally. Its flexibility and extensibility have made it a popular choice for developers and enterprises seeking a customizable CMS solution. With a large install base and active community, vulnerabilities in Strapi have broad real-world impact, especially for organizations relying on its API-driven architecture.
Technical Information
CVE-2024-56143 is rooted in Strapi's document service, specifically the lookup operator introduced in version 5. This operator enables flexible querying of content types, but in versions 5.0.0 through 5.5.1, it does not properly sanitize query parameters referencing private fields. Private fields in Strapi are intended to store sensitive data such as password hashes and reset tokens, and should never be accessible through public API queries.
The vulnerability occurs because the lookup operator's parameter handling fails to validate whether a queried field is marked as private in the content type schema. When an attacker crafts a query that includes a private field name (for example, password or resetPasswordToken), the system does not block the request. As a result, the API response can include values from these sensitive fields, violating data confidentiality.
This issue is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), as the system trusts user-supplied query parameters to determine which fields to access, without enforcing proper authorization checks. The root cause is insufficient validation logic in the lookup operator's processing of query parameters.
The vulnerability was addressed in Strapi version 5.5.2, where the sanitization logic was updated to ensure that any reference to private fields in query parameters is detected and rejected before query execution.
Affected Systems and Versions
- Strapi versions 5.0.0 through 5.5.1 are affected
- The vulnerability specifically impacts the document service lookup operator
- Only systems running these versions are vulnerable; version 5.5.2 and later are not affected
Vendor Security History
Strapi has previously experienced similar vulnerabilities involving private field exposure and authorization bypass. Notably:
- CVE-2023-22894: Allowed filtering on private fields, exposing sensitive user data
- CVE-2023-34235: Bypass of the CVE-2023-22894 fix via SQL table alias manipulation
The vendor typically responds promptly to security disclosures and maintains a public security advisory process. However, the recurrence of private field exposure issues indicates ongoing challenges with query parameter validation and sanitization in the codebase.