Strapi, Rate-Limit Bypass, CVE-2025-64526 (Medium)

Listen to this Post

How CVE-2025-64526 Works

The vulnerability exists in Strapi’s `@strapi/plugin-users-permissions` before version 5.45.0. The rate-limit middleware constructs a throttling key as ${userIdentifier}:${requestPath}:${ctx.request.ip}, where `userIdentifier` is taken from ctx.request.body.email. On routes like /auth/local, /auth/reset-password, and /auth/change-password, the expected body schema does not include an `email` field. However, an unauthenticated attacker can inject an arbitrary `email` value into the request body. Because the middleware uses this attacker-controlled value as part of the rate-limit key, each request with a different `email` yields a fresh key, bypassing per-IP throttling. This allows high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attacks without triggering 429 (Too Many Requests) responses. The patch introduces an allow-list of routes that legitimately rely on the email field (e.g., /auth/forgot-password, /auth/local/register). On all other routes, the middleware falls back to a fixed identifier-less key, restoring proper per-IP throttling. Indicators of exploitation include unusually high POST request volumes without 429 errors, request bodies containing both `identifier` and varying `email` fields on /auth/local, or unexpected `email` fields on /auth/reset-password.

dailycve form

Platform: Strapi users-permissions plugin
Version: 5.44.0 and lower
Vulnerability: Rate limit bypass
Severity: Medium CVSS 6.9
Date: 20 May 2025

Prediction: Expected patch 2025-05-30

What Undercode Say:

Analytics

Check for excessive POST requests without 429 responses
grep "POST /api/auth/local" /var/log/strapi/access.log | awk '{print $1, $9}' | sort | uniq -c | sort -nr
Detect request bodies with both identifier and varying email fields
grep -E '"identifier"\s:\s"[^"]",\s"email"\s:\s"[^"]"' /var/log/strapi/access.log
Monitor distinct rate-limit key prefixes per IP (requires custom logging)
tail -f /var/log/strapi/rate-limit.log | grep "key=" | cut -d: -f1 | sort | uniq -c

Exploit:

Attacker sends 1000 login attempts with rotating email to bypass rate-limit
for i in {1..1000}; do
curl -X POST https://target.com/api/auth/local \
-H "Content-Type: application/json" \
-d "{\"identifier\":\"[email protected]\",\"password\":\"guess$i\",\"email\":\"[email protected]\"}"
done

Protection from this CVE

  • Immediately update Strapi to version `>=5.45.0`
    – If patching is delayed, use a WAF to block requests to /auth/local, /auth/reset-password, `/auth/change-password` that contain an unexpected `email` field
  • Implement additional rate-limiting at the reverse proxy level (e.g., nginx limit_req) based on source IP only
  • Monitor for IoCs: high POST volumes without 429 responses, requests with both `identifier` and `email` fields

Impact

  • Unauthenticated attackers can brute-force user credentials at high velocity
  • Password-reset codes can be brute-forced, leading to account takeover
  • Credential stuffing attacks become feasible without IP-based blocking
  • Increased server load and log noise from repetitive requests

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top