6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-53092

GHSA ID

GHSA-9329-mxxw-qwf8

EPSS Score

CWE

CWE-200

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53092

CVE-2025-53092: Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

Summary

A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses.

Technical Details

By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting.

Example: Origin: http://localhost:8888 Access-Control-Allow-Origin: http://localhost:8888 Access-Control-Allow-Credentials: true

This allows an attacker-controlled site (on a different port, like 8888) to send credentialed requests to the Strapi backend on 1337.

Suggested Fix

Explicitly whitelist trusted origins
Avoid reflecting dynamic origins

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-53092

GHSA ID

GHSA-9329-mxxw-qwf8

EPSS Score

CWE

CWE-200

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@strapi/core	npm	< 5.20.0	5.20.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

### Summ*ry * *ORS mis*on*i*ur*tion vuln*r**ility *xists in ****ult inst*ll*tions o* Str*pi w**r* *tt**k*r-*ontroll** ori*ins *r* improp*rly r**l**t** in *PI r*spons*s. ### T***ni**l **t*ils *y ****ult, Str*pi r**l**ts t** v*lu* o* t** Ori*in ****

Reasoning

No *n*lysis *v*il**l*

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-53092: Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

Summary

Technical Details

Suggested Fix

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI