CVE-2023-38507: 
JavaScript vulnerability analysis and mitigation

Strapi, an open-source headless content management system, was found to have a vulnerability in versions prior to 4.12.1 where attackers could bypass the rate limiting mechanism on the login function of the admin screen. The vulnerability, identified as CVE-2023-38507, was discovered and patched in version 4.12.1 released on August 2, 2023 (Strapi Release, NVD).

The vulnerability stems from improper implementation of rate limiting on the login function. Attackers could circumvent the rate limit by manipulating the request path in two ways: by modifying the case of the path (uppercase/lowercase variations) or by adding trailing slashes to the request path. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL by NIST NVD, while GitHub assessed it with a score of 7.3 HIGH (NVD, GitHub Advisory).

The vulnerability allows attackers to bypass login rate limiting, significantly increasing the possibility of unauthorized access through brute force attacks against the admin interface. This could potentially lead to complete system compromise as successful authentication would grant administrative access to the Strapi instance (GitHub Advisory).

The vulnerability has been fixed in Strapi version 4.12.1. The fix involves forcing the conversion of request paths used for rate limiting to a consistent case (upper or lower) and removing extra slashes in the request path. Users are strongly advised to upgrade to version 4.12.1 or later to receive the patch (Strapi Release).