CVE-2025-25298

Description

## Summary Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation. ## POC Create an admin user with a password exceeding 72 characters like 85, Log in using only the first 72 characters of the password. Authentication is successful, confirming the issue. Proposed Solution Based on discussions: Add a maximum password length validation (72 characters) during password creation and updates for both Admin and U&P users. Truncate passwords exceeding 72 bytes on the server before passing them to bcryptjs during login. Optionally, issue a warning to users with passwords longer than 72 bytes during login, informing them of truncation. ## Impact This issue affects all Strapi installations using bcryptjs for password hashing. Until resolved, it can lead to: Authentication Bypass: Users may unknowingly set passwords exceeding 72 bytes, leading to truncated, predictable hashes. Performance Issues: Excessively long passwords can degrade server performance.

How to fix CVE-2025-25298

To remediate CVE-2025-25298, upgrade the affected package to a fixed version below.

• —upgrade to 5.10.3 or later

Is CVE-2025-25298 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 5.10.3

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-25298
• PATCHgithub.com/strapi/strapi
• WEBgithub.com/strapi/strapi/commit/41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb
• WEBgithub.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3