Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying — CVE-2025-64526

Summary

### Summary of CVE-2025-64526 Vulnerability Details - CVE: CVE-2025-64526 - CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` (6.9 — Medium) - Affected Versions: `@strapi/plugin-users-permissions` <=5.44.0 - How to Patch: Immediately update your Strapi to >=5.45.0 ### Description of CVE-2025-64526 In Strapi versions prior to 5.45.0, the rate-limit middleware in the…

Product

npm: @strapi/plugin-users-permissions

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source
• CVE Record
• NVD

Related advisories