@strapi/admin 0.0.0-next.a3e29269a0d0a4388674efc37e9383c621bfac87 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @strapi/admin package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Weak Encoding for Password @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Weak Encoding for Password in to the implementation of password hashing. An attacker can reduce the effective entropy of user passwords and potentially mislead users about the required password length by submitting passwords longer than 72 bytes, which are silently truncated during hashing. How to fix Weak Encoding for Password? Upgrade `@strapi/admin` to version 5.10.3 or higher.	<5.10.3
M Insufficient Session Expiration @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate JWT after logout or account deactivation. An attacker can maintain unauthorized access by reusing a stolen or intercepted token until it expires. The presence of the `/admin/renew-token` endpoint allows indefinite renewal of near-expiration tokens, further extending the attack window. How to fix Insufficient Session Expiration? Upgrade `@strapi/admin` to version 5.24.2 or higher.	<5.24.2
M Server-side Request Forgery (SSRF) @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `Settings -> Webhooks` function. An attacker can manipulate the application to expose information on internal resources, such as to detect open ports, by supplying malicious URLs pointing to local or internal addresses. How to fix Server-side Request Forgery (SSRF)? Upgrade `@strapi/admin` to version 4.25.2 or higher.	<4.25.2
H Denial of Service (DoS) @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Denial of Service (DoS) such that an attacker can circumvent the rate limit on the login function of Strapi's admin screen. How to fix Denial of Service (DoS)? Upgrade `@strapi/admin` to version 4.12.1 or higher.	<4.12.1
M Information Exposure @strapi/admin is a Strapi Admin Affected versions of this package are vulnerable to Information Exposure such that attackers can get access to user reset password tokens given that they have the configure view permissions. This issue arises because the `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. How to fix Information Exposure? Upgrade `@strapi/admin` to version 4.11.7 or higher.	<4.11.7

Vulnerability

Vulnerable Version

Weak Encoding for Password

@strapi/admin is a Strapi Admin

Affected versions of this package are vulnerable to Weak Encoding for Password in to the implementation of password hashing. An attacker can reduce the effective entropy of user passwords and potentially mislead users about the required password length by submitting passwords longer than 72 bytes, which are silently truncated during hashing.

How to fix Weak Encoding for Password?

Upgrade @strapi/admin to version 5.10.3 or higher.

<5.10.3

Insufficient Session Expiration

@strapi/admin is a Strapi Admin

Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate JWT after logout or account deactivation. An attacker can maintain unauthorized access by reusing a stolen or intercepted token until it expires. The presence of the /admin/renew-token endpoint allows indefinite renewal of near-expiration tokens, further extending the attack window.

How to fix Insufficient Session Expiration?

Upgrade @strapi/admin to version 5.24.2 or higher.

<5.24.2

Server-side Request Forgery (SSRF)

@strapi/admin is a Strapi Admin

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the Settings -> Webhooks function. An attacker can manipulate the application to expose information on internal resources, such as to detect open ports, by supplying malicious URLs pointing to local or internal addresses.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @strapi/admin to version 4.25.2 or higher.

<4.25.2

Denial of Service (DoS)

@strapi/admin is a Strapi Admin

Affected versions of this package are vulnerable to Denial of Service (DoS) such that an attacker can circumvent the rate limit on the login function of Strapi's admin screen.

How to fix Denial of Service (DoS)?

Upgrade @strapi/admin to version 4.12.1 or higher.

<4.12.1

Information Exposure

@strapi/admin is a Strapi Admin

Affected versions of this package are vulnerable to Information Exposure such that attackers can get access to user reset password tokens given that they have the configure view permissions. This issue arises because the /content-manager/relations route does not remove private fields or ensure that they can't be selected.

How to fix Information Exposure?

Upgrade @strapi/admin to version 4.11.7 or higher.

<4.11.7

@strapi/admin@0.0.0-next.a3e29269a0d0a4388674efc37e9383c621bfac87 vulnerabilities

Strapi Admin

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically