@strapi/core

npm3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @strapi/corepage 1 of 1

CVE-2024-56143HIGHCVSS 8.2EG 8.2✓ Fixed in 5.5.2
2025-10-16
Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can acces…
CVE-2025-25298MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.10.3
2025-10-16
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 by…
CVE-2025-53092MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.20.0
2025-10-16
Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Acc…

Check whether @strapi/core is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @strapi/core CVEs against the assets you own.

Start Free Scan →