CVE-2024-56143

HIGH LAB

Strapi < 5.5.2 - IDOR

Title source: rule

Description

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2024-56143

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/strapi/strapi/commit/0c6e0953ae1e62afae9329de7ae6d6a5e21b95b8

View Patch ZIP pw:eip

[Exploit, Vendor Advisory] https://github.com/strapi/strapi/security/advisories/GHSA-495j-h493-42q2

Related Analysis

72-Hour Stress Test

Scores

CVSS v3 8.2

EPSS 0.0002

EPSS Percentile 6.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Lab Environment

EIP LAB

Lab screenshot

vulnerable docker pull ghcr.io/exploitintel/cve-2024-56143-vulnerable:latest

View in Library GitHub

COMMUNITY

docker pull ghcr.io/exploitintel/cve-2024-56143-vulnerable:latest

https://github.com/strapi/strapi

https://github.com/exploitintel/eip-pocs-and-cves

View in Library

Details

CWE

CWE-639

Status published

Products (2)

strapi/core 5.0.0 - 5.5.2npm

strapi/strapi 5.0.0 - 5.5.2

Published Oct 16, 2025

Tracked Since Feb 18, 2026