ghsa-2cjv-6wg9-f4f3
Vulnerability from github
Published
2025-10-16 18:41
Modified
2025-10-16 18:41
Severity ?
6.3 (Medium) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Strapi Password Hashing Missing Maximum Password Length Validation
Details

Summary

Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation.

POC

Create an admin user with a password exceeding 72 characters like 85, Log in using only the first 72 characters of the password. Authentication is successful, confirming the issue.

Proposed Solution Based on discussions:

Add a maximum password length validation (72 characters) during password creation and updates for both Admin and U&P users. Truncate passwords exceeding 72 bytes on the server before passing them to bcryptjs during login. Optionally, issue a warning to users with passwords longer than 72 bytes during login, informing them of truncation.

Impact

This issue affects all Strapi installations using bcryptjs for password hashing. Until resolved, it can lead to: Authentication Bypass: Users may unknowingly set passwords exceeding 72 bytes, leading to truncated, predictable hashes. Performance Issues: Excessively long passwords can degrade server performance.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T18:41:43Z",
    "nvd_published_at": "2025-10-16T17:15:33Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nStrapi\u0027s password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation.\n\n## POC\nCreate an admin user with a password exceeding 72 characters like 85,\nLog in using only the first 72 characters of the password.\nAuthentication is successful, confirming the issue.\n\nProposed Solution Based on  discussions:\n\nAdd a maximum password length validation (72 characters) during password creation and updates for both Admin and U\u0026P users.\nTruncate passwords exceeding 72 bytes on the server before passing them to bcryptjs during login.\nOptionally, issue a warning to users with passwords longer than 72 bytes during login, informing them of truncation.\n\n## Impact\nThis issue affects all Strapi installations using bcryptjs for password hashing. Until resolved, it can lead to:\nAuthentication Bypass: Users may unknowingly set passwords exceeding 72 bytes, leading to truncated, predictable hashes.\nPerformance Issues: Excessively long passwords can degrade server performance.",
  "id": "GHSA-2cjv-6wg9-f4f3",
  "modified": "2025-10-16T18:41:43Z",
  "published": "2025-10-16T18:41:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25298"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/commit/41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Strapi Password Hashing Missing Maximum Password Length Validation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.