cbcvebase.
CVE-2023-22621
published 2023-04-19

CVE-2023-22621: Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote…

PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
76.83%
99.5th percentile
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.

Affected

3 ranges
VendorProductVersion rangeFixed in
strapiplugin-email>= 0 < 4.5.64.5.6
strapiplugin-users-permissions>= 0 < 4.5.64.5.6
strapistrapi>= 3.0.0 < 4.5.64.5.6

Detection & IOCsextracted from sources · hover to see the quote

url/api/auth/local/register
other%=*/}]}).output }` %>
  • SSTI exploit payload injected into the Strapi email template 'message' field — look for template expressions containing `%=` combined with JavaScript object/closure syntax (e.g., `*/}]}).output`) in admin panel email template configuration requests.
  • Exploitation triggers an outbound DNS interaction (OOB) upon a new user registration via /api/auth/local/register — monitor for unexpected DNS lookups originating from the Strapi server process after email template modification.
  • Successful SSTI exploitation returns HTTP 200 with a JSON body containing both 'ok' and 'true' fields — correlate admin-panel email template saves followed by registration requests returning this response pattern.
  • The exploit flow involves two stages: (1) an authenticated admin modifying the email_confirmation template with a malicious SSTI payload, then (2) triggering execution via a new user registration POST to /api/auth/local/register.
  • Error response body containing 'ApplicationError' from /api/auth/local/register may indicate the SSTI payload was triggered but caused a server-side error — flag registrations that return ApplicationError in JSON alongside abnormal server-side activity.
  • ·Vulnerability affects Strapi through version 4.5.5 only — instances running versions above 4.5.5 with patched template validation are not affected.
  • ·Exploitation requires prior authenticated access to the Strapi admin panel — unauthenticated attackers cannot directly inject the malicious email template payload.
  • ·The SSTI payload is placed specifically in the 'email_confirmation' template's 'message' field within the Strapi admin email settings — detection should focus on modifications to this specific template field.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.