CVE-2025-25298

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 5.10.3

Description Strapi, an open source headless CMS, has an issue where the @strapi/core package does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs truncates passwords exceeding 72 bytes, silently reducing the effective entropy of overlong passwords. This can mislead users and potentially allow authentication with only a portion of the password. Long inputs can also cause performance issues.

Recommendations Update to Strapi version 5.10.3 or later.