Strapi Password Hashing is Missing Maximum Password Length Validation

Severity:: Medium

Description

Strapi’s password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation.

Recommendation

Update the @strapi/core package to the latest compatible version. Followings are version details:

Affected version(s): < 5.10.3
Patched version(s): 5.10.3

References

GHSA-2cjv-6wg9-f4f3
CVE-2025-25298
CWE-261
CAPEC-310
OWASP 2021-A2
OWASP 2021-A6

Related Issues

Strapi core vulnerable to sensitive data exposure via CORS misconfiguration - CVE-2025-53092
@farmfe/core is Missing Origin Validation in WebSocket - CVE-2025-56647
Elliptic's EDDSA missing signature length check - CVE-2024-42459
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160

How do hackers hack websites?

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @strapi/core

Anything's wrong? Let us know Last updated on November 27, 2025