CVE-2024-56143

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-56143

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56143.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-56143

Aliases

GHSA-495j-h493-42q2

Published

2025-10-16T16:07:30.996Z

Modified

2026-04-10T05:19:26.388972Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

Strapi Allows Unauthorized Access to Private Fields via parms.lookup

Details

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56143.json",
    "cwe_ids": [
        "CWE-639"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/strapi/strapi

Affected ranges

Type: GIT
Repo: https://github.com/strapi/strapi
Events: Introduced

ce84fada19d58a7dfbdd553035e6558f8befcba4

Fixed

4012abe398eb731b53c07648dbc5bb7415bd26e4

Affected versions

v4.*

v4.25.16

v5.*

v5.0.0

v5.0.2-beta.0

v5.0.4

v5.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56143.json"