CVE-2025-64526— Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
Affected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| strapi | @strapi/plugin-users-permissions | < 5.45.0 | affected |
| strapi | strapi | < 5.45.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-64526
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
Source: NVD (National Vulnerability Database)
Vulnerability Description
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
过多认证尝试的限制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Strapi 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Strapi是法国strapi社区的一套开源的内容管理系统(CMS)。 Strapi 5.45.0之前版本存在安全漏洞,该漏洞源于users-permissions插件中的速率限制中间件从ctx.request.body.email派生速率限制键,包括在请求体模式不包含email字段的路由上,可能导致未经身份验证的攻击者在每个请求中包含任意email值以获取新的速率限制键,从而绕过基于IP的节流并实现高容量凭据暴力破解、密码重置码暴力破解和凭据填充攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| strapi | strapi | < 5.45.0 | - | |
| strapi | @strapi/plugin-users-permissions | < 5.45.0 | - |
II. Public POCs for CVE-2025-64526
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-64526
请登录查看更多情报信息。
- https://github.com/strapi/strapi/pull/24818x_refsource_MISC
- https://github.com/strapi/strapi/releases/tag/v5.45.0x_refsource_MISC
- https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fwx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2025-64526
Same Patch Batch · strapi · 2026-05-14 · 5 CVEs total
| CVE-2026-22706 | Strapi: Password Reset Does Not Revoke Existing Refresh Sessions | |
| CVE-2026-22707 | Strapi Upload Plugin MIME Validation Bypass via Content API | |
| CVE-2026-22599 | Strapi Vulnerable to SQL Injection in Content Type Builder | |
| CVE-2026-27886 | Strapi may leak sensitive data via relational filtering due to lack of query sanitization |
IV. Related Vulnerabilities
Same product: strapi
- CVE-2026-27886
Strapi may leak sensitive data via relational filtering due - CVE-2026-22707
Strapi Upload Plugin MIME Validation Bypass via Content API - CVE-2026-22706
Strapi: Password Reset Does Not Revoke Existing Refresh Sess - CVE-2026-22599
Strapi Vulnerable to SQL Injection in Content Type Builder - CVE-2025-53092
Strapi core vulnerable to sensitive data exposure via CORS m
Same vendor: strapi
- CVE-2026-27886
Strapi may leak sensitive data via relational filtering due - CVE-2026-22707
Strapi Upload Plugin MIME Validation Bypass via Content API - CVE-2026-22706
Strapi: Password Reset Does Not Revoke Existing Refresh Sess - CVE-2026-22599
Strapi Vulnerable to SQL Injection in Content Type Builder - CVE-2025-53092
Strapi core vulnerable to sensitive data exposure via CORS m
Same weakness: CWE-307
- CVE-2020-37228
iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypa - CVE-2026-45010
phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-F - CVE-2025-62313
HCL AION is affected by a vulnerability where adequate prote - CVE-2026-44195
OPNsense: Authentication lockout bypass - CVE-2026-7255
Zyxel WRE6505 安全漏洞
V. Comments for CVE-2025-64526
No comments yet