Listen to this Post
How CVE-2025-64526 Works
The vulnerability exists in Strapi’s `@strapi/plugin-users-permissions` before version 5.45.0. The rate-limit middleware constructs a throttling key as ${userIdentifier}:${requestPath}:${ctx.request.ip}, where `userIdentifier` is taken from ctx.request.body.email. On routes like /auth/local, /auth/reset-password, and /auth/change-password, the expected body schema does not include an `email` field. However, an unauthenticated attacker can inject an arbitrary `email` value into the request body. Because the middleware uses this attacker-controlled value as part of the rate-limit key, each request with a different `email` yields a fresh key, bypassing per-IP throttling. This allows high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attacks without triggering 429 (Too Many Requests) responses. The patch introduces an allow-list of routes that legitimately rely on the email field (e.g., /auth/forgot-password, /auth/local/register). On all other routes, the middleware falls back to a fixed identifier-less key, restoring proper per-IP throttling. Indicators of exploitation include unusually high POST request volumes without 429 errors, request bodies containing both `identifier` and varying `email` fields on /auth/local, or unexpected `email` fields on /auth/reset-password.
dailycve form
Platform: Strapi users-permissions plugin
Version: 5.44.0 and lower
Vulnerability: Rate limit bypass
Severity: Medium CVSS 6.9
Date: 20 May 2025
Prediction: Expected patch 2025-05-30
What Undercode Say:
Analytics
Check for excessive POST requests without 429 responses
grep "POST /api/auth/local" /var/log/strapi/access.log | awk '{print $1, $9}' | sort | uniq -c | sort -nr
Detect request bodies with both identifier and varying email fields
grep -E '"identifier"\s:\s"[^"]",\s"email"\s:\s"[^"]"' /var/log/strapi/access.log
Monitor distinct rate-limit key prefixes per IP (requires custom logging)
tail -f /var/log/strapi/rate-limit.log | grep "key=" | cut -d: -f1 | sort | uniq -c
Exploit:
Attacker sends 1000 login attempts with rotating email to bypass rate-limit
for i in {1..1000}; do
curl -X POST https://target.com/api/auth/local \
-H "Content-Type: application/json" \
-d "{\"identifier\":\"[email protected]\",\"password\":\"guess$i\",\"email\":\"[email protected]\"}"
done
Protection from this CVE
- Immediately update Strapi to version `>=5.45.0`
– If patching is delayed, use a WAF to block requests to/auth/local,/auth/reset-password, `/auth/change-password` that contain an unexpected `email` field - Implement additional rate-limiting at the reverse proxy level (e.g., nginx
limit_req) based on source IP only - Monitor for IoCs: high POST volumes without 429 responses, requests with both `identifier` and `email` fields
Impact
- Unauthenticated attackers can brute-force user credentials at high velocity
- Password-reset codes can be brute-forced, leading to account takeover
- Credential stuffing attacks become feasible without IP-based blocking
- Increased server load and log noise from repetitive requests
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

