6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-25298

CVE-2025-25298: Missing Maximum Password Length Validation in Strapi Password Hashing

Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account with a password exceeding 72 bytes and later authenticate with only the first 72 bytes. This reduces the effective entropy of overlong passwords and may mislead users who believe characters beyond 72 bytes are required, creating a low likelihood of unintended authentication if an attacker can obtain or guess the truncated portion. Long over‑length inputs can also impose unnecessary processing overhead. The issue is fixed in version 5.10.3. No known workarounds exist.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-25298

CVE-2025-25298:

6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@strapi/core	npm	< 5.10.3	5.10.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2025-25298, stems from the fact that the bcryptjs library used by Strapi for password hashing silently truncates any password longer than 72 bytes. This means that if a user sets a password of this_is_a_very_long_password_that_is_definitely_more_than_72_bytes_long, only the first 72 bytes are actually used to create the hash. An attacker could then log in by providing only those first 72 bytes, effectively bypassing the full password.

The root cause was a lack of server-side validation to enforce a maximum password length in bytes before the password was passed to bcryptjs. The provided patch addresses this by introducing a validation rule across the entire application wherever a password can be set or updated.

My analysis of the commit 41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb identified all the key functions involved in password management that were missing this validation:

User Registration (register): For both regular users via the users-permissions plugin and the initial admin user.
Password Updates: Including resetPassword and changePassword for regular users, and the update function for users managed through the admin panel.
User Creation (create): For users created by an administrator in the admin panel.

The patch consistently applies a .test('max-bytes', ...) check using yup validation schemas. This new test calculates the byte length of the password string and ensures it does not exceed 72. By identifying the schemas that were modified (createRegisterSchema, createResetPasswordSchema, createChangePasswordSchema, etc.) and the files they are in, I was able to pinpoint the corresponding controller functions that would be active at runtime during an exploitation attempt. These are the functions that process the user's password input and are therefore the primary indicators of this vulnerability being triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-25298: Missing Maximum Password Length Validation in Strapi Password Hashing

CVE-2025-25298:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-25298: Missing Maximum Password Length Validation in Strapi Password Hashing

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.3

6.3

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI