Aikido Intel
Secure My Code
Intel

AIKIDO-2024-10484

@strapi/plugin-graphql is vulnerable to Private Data Structure Returned From A Public Method

Private Data Structure Returned From A Public Method Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.

32

Low Risk

This Affects:

js@strapi/plugin-graphql
4.0.0 - 5.4.1
Fixed in 5.4.2

TL;DR

Affected versions of this package expose attributes tagged as private within the GraphQL input and filter schema definitions. This vulnerability can lead to unintended data exposure, allowing clients to query or filter sensitive fields that should remain hidden. As a result, attackers or unauthorized users may gain access to confidential information, potentially compromising the security and privacy of the application’s data.

Who does this affect?

You are affected if you are using a version which is within vulnerability ranges

Background info

@strapi/plugin-graphql is vulnerable to Private Data Structure Returned From A Public Method in versions 4.0.0 - 5.4.1.

How to fix this

Upgrade the @strapi/plugin-graphql library to the patch version.

Links

Get Secure Now

Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.

Start for Free
Book a Demo

No credit card required | Scan results in 32secs.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done