CVE-2025-25298 – Strapi versions before 5.10.3 do not enforce a ... (How to Fix)

Q: What is the severity of CVE-2025-25298?

CVE-2025-25298 has a CVSS score of 5.3 (MEDIUM). Strapi versions before 5.10.3 do not enforce a maximum password length when using bcryptjs for password hashing, causing passwords longer than 72 bytes to be silently truncated. This reduces effective password entropy and could allow authentication with only the first 72 bytes of a longer password. All Strapi deployments using affected versions are vulnerable.

📋 TL;DR

Strapi versions before 5.10.3 do not enforce a maximum password length when using bcryptjs for password hashing, causing passwords longer than 72 bytes to be silently truncated. This reduces effective password entropy and could allow authentication with only the first 72 bytes of a longer password. All Strapi deployments using affected versions are vulnerable.

💻 Affected Systems

Products:

Strapi

Versions: All versions before 5.10.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using bcryptjs for password hashing (default configuration).

📦 What is this software?

Strapi by Strapi

View all CVEs affecting Strapi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker who obtains or guesses the first 72 bytes of a user's longer password could authenticate as that user, potentially gaining unauthorized access to sensitive CMS content or administrative functions.

🟠

Likely Case

Users with very long passwords may have reduced security without realizing it, and attackers could potentially brute-force the truncated portion more easily than the full password.

🟢

If Mitigated

With proper password policies and monitoring, the risk is minimal as attackers would still need to obtain the first 72 bytes of passwords.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires either obtaining password hashes or guessing the first 72 bytes of user passwords.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.10.3

Vendor Advisory: https://github.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3

Restart Required: No

Instructions:

1. Update Strapi to version 5.10.3 or later using npm: npm update @strapi/core 2. Verify the update completed successfully 3. Consider forcing password resets for users with very long passwords

🔧 Temporary Workarounds

Password Policy Enforcement

all

Implement password policies that limit passwords to 72 characters or less

🧯 If You Can't Patch

Implement password policies limiting passwords to 72 characters maximum
Monitor authentication logs for unusual patterns and force password resets for users with very long passwords

🔍 How to Verify

Check if Vulnerable:

Check package.json for @strapi/core version. If version is less than 5.10.3, the system is vulnerable.

Check Version:

npm list @strapi/core

Verify Fix Applied:

Verify @strapi/core version is 5.10.3 or higher in package.json and that password length validation is working.

📡 Detection & Monitoring

Log Indicators:

Failed login attempts followed by successful logins with similar but truncated credentials
User accounts with extremely long passwords

Network Indicators:

Unusual authentication patterns from single IP addresses

SIEM Query:

Authentication logs showing successful logins after multiple failures with similar credential patterns

📊 Metadata

CVE ID: CVE-2025-25298

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-261

EPSS Score: 0.06% exploit probability (18th percentile)

Published: October 16, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/strapi/strapi/commit/41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb Patch
https://github.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25298, you might also want to check these: