Home > Vulnerability Database > WS-2023-0108

Mend.io Vulnerability Database

WS-2023-0108

Date: August 19, 2025

Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.

Language: JS

Severity Score

9.6

Related Resources (6)

Url: https://github.com/strapi/strapi/releases/tag/v4.6.0

Url: https://github.com/strapi/strapi/security/advisories/GHSA-xv3q-jrmm-4fxv

Url: https://github.com/strapi/strapi/pull/15382

Url: https://github.com/strapi/strapi/commit/d0edd25ceb49d275d710bf8d59999a2c07072893

Url: https://github.com/strapi/strapi

Url: https://www.mend.io/vulnerability-database/WS-2023-0108

Severity Score

9.6

Weakness Type (CWE)

Authentication Bypass Using an Alternate Path or Channel

CWE-288

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

WS-2023-0108

Date: August 19, 2025

Language: JS

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?