CVE-2024-52588: 
JavaScript vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Strapi's webhook functionality, identified as CVE-2024-52588. The vulnerability affects Strapi versions prior to 4.25.2 and was disclosed on May 27, 2025. The issue exists in the Settings -> Webhooks function where the application allows users to input URLs for webhook connections, including local domains such as localhost, 127.0.0.1, and 0.0.0.0, which can lead to internal server access (GitHub Advisory).

The vulnerability allows an attacker to input local domain URLs into the webhook URL field, enabling the application to make requests to internal resources. The CVSS v3.1 base score is 4.9 (Moderate), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-918 (Server-Side Request Forgery). The issue specifically manifests when creating webhook connections, where the application fails to properly validate input URLs, allowing connections to internal network resources (GitHub Advisory).

The vulnerability enables attackers to perform port scanning and service discovery on the internal network. If a server running Strapi has multiple open ports, an attacker can potentially brute-force through all 65,535 ports to identify which ports are open and potentially accessible. This could lead to the exposure of internal services and sensitive information (GitHub Advisory).

The vulnerability has been patched in Strapi version 4.25.2. Users are advised to upgrade to this version or later to mitigate the risk. No alternative workarounds have been provided (GitHub Advisory).