@strapi/plugin-users-permissions 4.26.1

Direct Vulnerabilities

Known vulnerabilities in the @strapi/plugin-users-permissions package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Insufficient Session Expiration @strapi/plugin-users-permissions is a headless CMS Affected versions of this package are vulnerable to Insufficient Session Expiration in the password reset or change operation. An attacker can maintain unauthorized access by continuing to use a previously obtained refresh token to generate new access tokens, even after the legitimate user resets their password. Note: This is only exploitable if a password reset or change occurs without supplying a `deviceId` parameter. How to fix Insufficient Session Expiration? Upgrade `@strapi/plugin-users-permissions` to version 5.33.3 or higher.	<5.33.3
M Brute Force @strapi/plugin-users-permissions is a headless CMS Affected versions of this package are vulnerable to Brute Force via the rate-limiting `middleware`. An attacker can bypass intended request throttling by manipulating the `email` field in the request body to generate unique rate-limit keys for each request, enabling high-volume brute-force or credential-stuffing attempts. How to fix Brute Force? Upgrade `@strapi/plugin-users-permissions` to version 5.45.0 or higher.	<5.45.0

Vulnerability

Vulnerable Version

Insufficient Session Expiration

@strapi/plugin-users-permissions is a headless CMS

Affected versions of this package are vulnerable to Insufficient Session Expiration in the password reset or change operation. An attacker can maintain unauthorized access by continuing to use a previously obtained refresh token to generate new access tokens, even after the legitimate user resets their password.

Note: This is only exploitable if a password reset or change occurs without supplying a deviceId parameter.

How to fix Insufficient Session Expiration?

Upgrade @strapi/plugin-users-permissions to version 5.33.3 or higher.

<5.33.3

Brute Force

@strapi/plugin-users-permissions is a headless CMS

Affected versions of this package are vulnerable to Brute Force via the rate-limiting middleware. An attacker can bypass intended request throttling by manipulating the email field in the request body to generate unique rate-limit keys for each request, enabling high-volume brute-force or credential-stuffing attempts.

How to fix Brute Force?

Upgrade @strapi/plugin-users-permissions to version 5.45.0 or higher.

<5.45.0

@strapi/plugin-users-permissions@4.26.1

Protect your API with a full-authentication process based on JWT

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically