CVE-2022-30618: Improper Removal of Sensitive Information Before Storage or Transfer in Strapi
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.53883%
CWE
Published
5/20/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
strapi | npm | >= 3.0.0, < 3.6.9 | 3.6.9 |
@strapi/strapi | npm | < 4.1.9 | 4.1.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper sanitization of sensitive fields in related user entities. Strapi's sanitizeEntity
function is the primary mechanism for field filtering, and its failure to handle nested relationships from users-permissions
plugin indicates a flaw in this function. Additionally, the User
model's serialization
method (toJSON
) would be responsible for controlling field exposure during data serialization. The combination of these two functions not properly handling relationship-based data inclusion matches the described vulnerability pattern of sensitive data leakage through indirect relationships in JSON responses.