CVE-2024-56143

HIGH LAB

Strapi < 5.5.2 - IDOR

Title source: rule

Description

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2024-56143

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/strapi/strapi/commit/0c6e0953ae1e62afae9329de7ae6d6a5e21b95b8

View Patch ZIP pw:eip

[Exploit, Vendor Advisory] https://github.com/strapi/strapi/security/advisories/GHSA-495j-h493-42q2

Scores

CVSS v3 8.2

EPSS 0.0002

EPSS Percentile 6.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Lab Environment

Lab screenshot

vulnerable

docker pull ghcr.io/exploitintel/cve-2024-56143-vulnerable:latest

All Labs GitHub

Classification

CWE

CWE-639

Status published

Affected Products (2)

strapi/strapi < 5.5.2

strapi/core < 5.5.2npm

Timeline

Published Oct 16, 2025

Tracked Since Feb 18, 2026