Strapi - Authentication Bypass (CVE-2023-22893)

CVE-2023-22893 is a vulnerability in Strapi through version 4.5.5 which allows remote attackers to bypass authentication when AWS Cognito is used as the login provider, due to improper verification of access or ID tokens during the OAuth flow. Attackers can forge ID tokens signed with the 'None' algorithm, enabling them to impersonate any user and potentially gain unauthorized access to sensitive resources or perform actions as legitimate users. This flaw could be exploited for account takeover, privilege escalation, or data theft.

CrowdSec has been tracking this vulnerability and its exploits since 12th of June 2025.

CrowdSec network observations suggest that most exploitation of CVE-2023-22893 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2023-22893 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2023-22893 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit the /api/auth/cognito/callback endpoint by supplying a forged id_token JWT with the "none" algorithm, allowing them to bypass authentication and impersonate users in vulnerable Strapi instances.