Rate-Limiting Bypass Vulnerability in Strapi Open Source CMS by Strapi
CVE-2025-64526

6.9MEDIUM

Key Information:

Vendor

Strapi

Status
Strapi
@strapi/plugin-users-permissions
Vendor
CVE Published:
14 May 2026

What is CVE-2025-64526?

Strapi, a popular open source headless content management system, contains a vulnerability in its users-permissions plugin affecting versions before 5.45.0. The rate-limit middleware incorrectly derives its key partially from user email in routes where the email field is not expected. This flaw allows an unauthenticated attacker to manipulate requests, generating unique rate-limit keys and effectively bypassing IP address restrictions. This makes it possible for attackers to launch brute-force attacks on user credentials and reset tokens by circumventing intended security measures. Strapi addressed this issue in version 5.45.0 by implementing an allow-list for valid routes that are supposed to utilize email, ensuring that other routes default to a secure identifier-less key to maintain effective throttling.

Affected Version(s)

@strapi/plugin-users-permissions < 5.45.0

strapi < 5.45.0

References

https://github.com/strapi/strapi/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/strapi/strapi/pull/24818
x_refsource_MISC
https://github.com/strapi/strapi/commit/5e0d243cba9830e6f...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.