Strapi - Authentication Bypass (CVE-2023-22893)

CVE-2023-22893 is a vulnerability in Strapi through version 4.5.5 which allows remote attackers to bypass authentication when AWS Cognito is used as the login provider, due to improper verification of access or ID tokens during the OAuth flow. Attackers can forge ID tokens signed with the 'None' algorithm, enabling them to impersonate any user and potentially gain unauthorized access to sensitive resources or perform actions as legitimate users. This flaw could be exploited for account takeover, privilege escalation, or data theft.

CrowdSec has been tracking this vulnerability and its exploits since 12th of June 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2023-22893 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec network telemetry also shows that exploitation of CVE-2023-22893 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit the /api/auth/cognito/callback endpoint by supplying a forged id_token JWT with the "none" algorithm, allowing them to bypass authentication and impersonate users in vulnerable Strapi instances.