[CVE-2022–32114] Strapi v4.1.12 — Unrestricted File Upload

2 min readMay 29, 2022


Vulnerability Explanation:

Strapi v4.1.12 has an Unrestricted File Upload vulnerability that allows an attacker to successfully upload files containing malicious content to the system and execute.

Tested on:

  1. Strapi Version 4.1.12
  2. Google Chrome Version 102.0.5005.61 (Official Build) (64-bit)

Payload :


Steps to attack:

  1. Log in with a user that has permission to upload files.

2. Click on the “Media Library” menu, then click on “+ Add new assets”.

3. Click on the “Browse files: button.

4. Then select the prepared file containing malicious content.

5. Then click on the “Upload 1 asset to the library” button to upload the file to the system.

6. Click edit in the corner of the file.

7. Click copy link.

8. Paste the link to a new tab, it will show that the payload XSS was executed.


Grim The Ripper Team by SOSECURE Thailand




You get the best out of others when you give the best of yourself