{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-64526","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-11-05T21:15:39.401Z","datePublished":"2026-05-14T18:32:01.998Z","dateUpdated":"2026-05-16T00:49:25.996Z"},"containers":{"cna":{"title":"Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying","problemTypes":[{"descriptions":[{"cweId":"CWE-307","lang":"en","description":"CWE-307: Improper Restriction of Excessive Authentication Attempts","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":6.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw","tags":["x_refsource_CONFIRM"],"url":"https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw"},{"name":"https://github.com/strapi/strapi/pull/24818","tags":["x_refsource_MISC"],"url":"https://github.com/strapi/strapi/pull/24818"},{"name":"https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db","tags":["x_refsource_MISC"],"url":"https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db"},{"name":"https://github.com/strapi/strapi/releases/tag/v5.45.0","tags":["x_refsource_MISC"],"url":"https://github.com/strapi/strapi/releases/tag/v5.45.0"}],"affected":[{"vendor":"strapi","product":"strapi","versions":[{"version":"< 5.45.0","status":"affected"}]},{"vendor":"strapi","product":"@strapi/plugin-users-permissions","versions":[{"version":"< 5.45.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-14T18:33:56.463Z"},"descriptions":[{"lang":"en","value":"Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled."}],"source":{"advisory":"GHSA-7mqx-wwh4-f9fw","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-16T00:48:16.468125Z","id":"CVE-2025-64526","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-16T00:49:25.996Z"}}]}}