Improper Query Parameter Sanitization in Strapi's Document Service
CVE-2024-56143

8.2HIGH

Key Information:

Vendor: Strapi
Status: Strapi
Vendor: CVE Published:; 16 October 2025

What is CVE-2024-56143?

Strapi, a popular open-source headless content management system, contains a vulnerability in its document service that affects versions 5.0.0 through 5.5.1. This flaw arises from improper sanitization of query parameters used with the lookup operator, allowing an attacker to craft a malicious query. By exploiting this vulnerability, an attacker can gain unauthorized access to sensitive private fields, including administrative passwords and reset tokens. This issue has been addressed in version 5.5.2, where improved input validation measures were implemented to safeguard against such unauthorized data exposure.

Affected Version(s)

strapi >= 5.0.0, < 5.5.2

References

https://github.com/strapi/strapi/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/strapi/strapi/commit/0c6e0953ae1e62afa...

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Dec 16, 2024

JSON