Home > Vulnerability Database > CVE-2025-25298

Mend.io Vulnerability Database

CVE-2025-25298

Good to know:

Date: October 16, 2025

Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account with a password exceeding 72 bytes and later authenticate with only the first 72 bytes. This reduces the effective entropy of overlong passwords and may mislead users who believe characters beyond 72 bytes are required, creating a low likelihood of unintended authentication if an attacker can obtain or guess the truncated portion. Long over‑length inputs can also impose unnecessary processing overhead. The issue is fixed in version 5.10.3. No known workarounds exist.

Severity Score

3.7

Related Resources (5)

Url: https://github.com/strapi/strapi/commit/41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-25298

Url: https://github.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3

Url: https://github.com/strapi/strapi

Url: https://www.mend.io/vulnerability-database/CVE-2025-25298

Severity Score

3.7

Weakness Type (CWE)

Weak Encoding for Password

CWE-261

Top Fix

Upgrade Version

Upgrade to version @strapi/core - 5.10.3

Learn More

CVSS v3.1

Base Score:	3.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-25298

Good to know:

Date: October 16, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?