GHSA-9329-mxxw-qwf8 · Severity: high · Ecosystem: npm — Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist.
Conclusion & alert: CVE-2025-53092 is rated Low Risk (28.5/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.03%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-14 | 0.05% | 0.03% | -0.02% |
| 2 | 2026-02-15 | 0.03% | 0.05% | +0.02% |
| 3 | 2025-10-17 | — | 0.03% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
GHSA-9329-mxxw-qwf8 · Severity: high · Ecosystem: npm — Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
| URL | Tags |
|---|---|
| https://github.com/strapi/strapi/security/advisories/GHSA-9329-mxxw-qwf8 | Vendor Advisory |