GHSA-2CJV-6WG9-F4F3

Vulnerability from github – Published: 2025-10-16 18:41 – Updated: 2025-11-27 08:44
VLAI?
Summary
Strapi Password Hashing is Missing Maximum Password Length Validation
Details

Summary

Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation.

POC

Create an admin user with a password exceeding 72 characters like 85, Log in using only the first 72 characters of the password. Authentication is successful, confirming the issue.

Proposed Solution Based on discussions:

Add a maximum password length validation (72 characters) during password creation and updates for both Admin and U&P users. Truncate passwords exceeding 72 bytes on the server before passing them to bcryptjs during login. Optionally, issue a warning to users with passwords longer than 72 bytes during login, informing them of truncation.

Impact

This issue affects all Strapi installations using bcryptjs for password hashing. Until resolved, it can lead to: Authentication Bypass: Users may unknowingly set passwords exceeding 72 bytes, leading to truncated, predictable hashes. Performance Issues: Excessively long passwords can degrade server performance.

Severity ?
6.3 (Medium)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T18:41:43Z",
    "nvd_published_at": "2025-10-16T17:15:33Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nStrapi\u0027s password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation.\n\n## POC\nCreate an admin user with a password exceeding 72 characters like 85,\nLog in using only the first 72 characters of the password.\nAuthentication is successful, confirming the issue.\n\nProposed Solution Based on  discussions:\n\nAdd a maximum password length validation (72 characters) during password creation and updates for both Admin and U\u0026P users.\nTruncate passwords exceeding 72 bytes on the server before passing them to bcryptjs during login.\nOptionally, issue a warning to users with passwords longer than 72 bytes during login, informing them of truncation.\n\n## Impact\nThis issue affects all Strapi installations using bcryptjs for password hashing. Until resolved, it can lead to:\nAuthentication Bypass: Users may unknowingly set passwords exceeding 72 bytes, leading to truncated, predictable hashes.\nPerformance Issues: Excessively long passwords can degrade server performance.",
  "id": "GHSA-2cjv-6wg9-f4f3",
  "modified": "2025-11-27T08:44:59Z",
  "published": "2025-10-16T18:41:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25298"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/commit/41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Strapi Password Hashing is Missing Maximum Password Length Validation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.