CVE-2025-25298: 
JavaScript vulnerability analysis and mitigation

Strapi, an open source headless CMS, contains a vulnerability in the @strapi/core package versions before 5.10.3 related to password length validation. The vulnerability stems from the package not enforcing a maximum password length when using bcryptjs for password hashing, where bcryptjs silently truncates passwords longer than 72 bytes (GitHub Advisory, NVD). The vulnerability was discovered and disclosed on October 16, 2025.

The vulnerability occurs because bcryptjs ignores any bytes beyond 72 when hashing passwords. This means that users can create accounts with passwords exceeding 72 bytes but can later authenticate using only the first 72 bytes of the password. The issue has been assigned a CVSS v4.0 base score of 6.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (NVD).

The vulnerability reduces the effective entropy of overlong passwords and may mislead users who believe characters beyond 72 bytes are required. This creates a low likelihood of unintended authentication if an attacker can obtain or guess the truncated portion of the password. Additionally, long over-length inputs can impose unnecessary processing overhead on the system (GitHub Advisory).

The issue has been fixed in version 5.10.3 of the @strapi/core package. The fix includes adding a maximum password length validation (72 characters) during password creation and updates for both Admin and U&P users. No known workarounds exist for versions prior to 5.10.3 (NVD, GitHub Advisory).