CVE-2024-34065
📋 TL;DR
This CVE describes an authentication bypass vulnerability in Strapi's users-permissions plugin. By combining an open redirect with session tokens sent as URL parameters, unauthenticated attackers can obtain third-party tokens and bypass authentication with just one user click. All Strapi instances using affected plugin versions are vulnerable.
💻 Affected Systems
- Strapi CMS with @strapi/plugin-users-permissions
📦 What is this software?
Strapi by Strapi
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, unauthorized access to sensitive data, and potential privilege escalation to administrative functions.
Likely Case
Unauthorized access to user accounts, exposure of third-party authentication tokens, and potential data exfiltration.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still represents authentication bypass risk.
🎯 Exploit Status
Exploit requires user interaction (one click) but is otherwise straightforward. No public PoC available but advisory provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.24.2
Vendor Advisory: https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc
Restart Required: Yes
Instructions:
1. Update @strapi/plugin-users-permissions to version 4.24.2 using npm or yarn. 2. Restart the Strapi application. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable affected authentication endpoints
allTemporarily disable third-party authentication endpoints until patching is possible.
Modify Strapi configuration to disable OAuth/third-party authentication providers
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure of Strapi admin interfaces
- Enable detailed logging and monitoring for authentication attempts and token usage
🔍 How to Verify
Check if Vulnerable:
Check package.json for @strapi/plugin-users-permissions version. If version is <4.24.2, system is vulnerable.Check Version:
npm list @strapi/plugin-users-permissions or check package.jsonVerify Fix Applied:
Verify @strapi/plugin-users-permissions version is 4.24.2 or higher in package.json and running application.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed login attempts followed by successful login from same IP
- Requests with suspicious URL parameters containing tokens
Network Indicators:
- Unusual traffic to authentication endpoints
- Requests with redirect parameters to external domains
SIEM Query:
source="strapi" AND (url="*redirect*" OR url="*token*" OR url="*auth*") AND status=200