Information Exposure Affecting strapi package, versions <3.6.9



    Attack Complexity High
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.58% (75th percentile)
Expand this section
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-STRAPI-2807810
  • published 4 May 2022
  • disclosed 4 May 2022
  • credit Kitchaphan Singchai

How to fix?

Upgrade strapi to version 3.6.9 or higher.


strapi is a HTTP layer sits on top of Koa.

Affected versions of this package are vulnerable to Information Exposure due to the storage of passwords in a recoverable format in the documentation plugin component. Exploiting this vulnerability allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.