Strapi Release: 3.6.10

TL;DR

Strapi v3.6.10 focuses on security improvements by removing hidden attributes from admin API responses. This update ensures sensitive information like confirmation and reset-password tokens are properly hidden from unauthorized access, enhancing the overall security posture of Strapi v3 installations.

Highlight of the Release

• Fixed security vulnerability by properly hiding sensitive attributes in admin API responses
• Improved handling of hidden configuration in schema files
• Enhanced data sanitation for admin users

Migration Guide

No specific migration steps are required for this security update. Simply upgrade to v3.6.10 to benefit from the security improvements.

For general migration guidance, refer to the official Strapi migration guides.

Upgrade Recommendations

This release contains important security fixes that prevent exposure of sensitive information in API responses. All Strapi v3 users should upgrade to v3.6.10 as soon as possible to ensure their installations are protected against potential information disclosure vulnerabilities.

The upgrade process should be straightforward with no breaking changes:

npm install [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Or if using Yarn:

yarn upgrade [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Bug Fixes

Security Bug Fixes

• Fixed an issue where hidden attributes like confirmation and reset-password tokens were exposed in admin API responses
• Corrected the implementation to use schema.config.attributes instead of schema.attributes for proper attribute handling
• Fixed sanitation process for admin users in content manager
• Ensured the withHidden option is properly passed down in sanitize recursion

New Features

No new features were introduced in this release. This is a security-focused maintenance release.

Security Updates

Security Enhancements

• Hidden Attributes Protection: Implemented proper hiding of sensitive information like confirmation and reset-password tokens from the getstarted Users & Permissions extension
• Admin API Response Sanitation: Enhanced the sanitation process to ensure hidden attributes are not exposed in admin API responses
• Schema Configuration: Improved the handling of hidden configuration in schema files to prevent potential information disclosure
• Recursive Sanitation: Fixed the sanitize recursion process to properly pass down the withHidden option, ensuring consistent security throughout nested data structures

Performance Improvements

No specific performance improvements were included in this release. The changes were focused on security enhancements.

Impact Summary

This security-focused release addresses an important vulnerability in Strapi v3 where sensitive user information could potentially be exposed through admin API responses. By properly implementing hidden attribute protection, the update significantly reduces the risk of information disclosure that could be exploited by malicious actors.

The changes ensure that sensitive data like confirmation tokens and reset-password tokens remain properly hidden, even when accessed through the admin API. This is particularly important for maintaining the security of user authentication and account management processes.

While this update doesn't introduce new features or change existing functionality, it strengthens Strapi's security posture and helps organizations maintain compliance with data protection requirements. The fix is implemented in a way that should not disrupt existing legitimate functionality.

Full Release Notes