CVE-2025-53092: 
JavaScript vulnerability analysis and mitigation

Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. The vulnerability (CVE-2025-53092) was discovered and disclosed on October 16, 2025. The issue affects the @strapi/core npm package, specifically versions below 5.20.0 (GitHub Advisory).

The vulnerability stems from Strapi's default behavior of reflecting the Origin header value in the Access-Control-Allow-Origin response header without proper validation or whitelisting. For example, if a request contains 'Origin: http://localhost:8888', the response will include 'Access-Control-Allow-Origin: http://localhost:8888' along with 'Access-Control-Allow-Credentials: true'. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (GitHub Advisory).

This vulnerability allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API, potentially leading to unauthorized access to sensitive information (GitHub Advisory).

The vulnerability has been fixed in Strapi version 5.20.0. Users should upgrade to this version or later to address the issue. No known workarounds exist for affected versions. The suggested fix involves explicitly whitelisting trusted origins and avoiding the reflection of dynamic origins (GitHub Advisory).