Strapi Authenticated SSTI in Email Templates
CVE-2023-22621 is an authenticated server-side template injection vulnerability in Strapi affecting versions through 4.5.5. The issue exists in Strapi email template handling used by the Users-Permissions functionality and related email plugin logic, where a user with access to the Strapi admin panel can inject a crafted payload into an email template. The provided context indicates that validation intended to prevent code execution can be bypassed, allowing malicious lodash _.template() expressions to be stored in templates such as reset_password. When Strapi later renders the modified template, the attacker-controlled server-side template code is evaluated, resulting in arbitrary command or code execution on the Strapi server.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository provides a proof-of-concept exploit for CVE-2023-22621, a server-side template injection (SSTI) vulnerability in Strapi versions <= 4.5.5. The exploit leverages the 'sendTemplatedEmail' function, which uses lodash's template engine to render email templates, allowing arbitrary JavaScript execution. The main exploit script (poc.py) is a Python3 tool that automates the attack: it authenticates as an admin, enables email confirmation, injects a malicious template containing a payload (by default, a bash reverse shell), and triggers the payload by registering a new user. The script supports custom payloads and allows the attacker to specify the target Strapi URL, admin credentials, attacker's IP/port, and other options. The README provides usage instructions and background on the vulnerability. The repository is structured with a single exploit script and a README, and is operational, providing a working RCE exploit against vulnerable Strapi instances.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Strapi server-side template injection vulnerability in email templates that can be abused for remote code execution by modifying reset-password email template data in the database.
A Strapi server-side template injection vulnerability that attackers included in their exposed toolkit to escalate from stolen credentials to remote code execution on Strapi servers.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.