CVE-2025-25298: Strapi Password Hashing Missing Maximum Password Length Validation

October 16, 2025 (updated November 10, 2025)

Strapi’s password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation.

References

github.com/advisories/GHSA-2cjv-6wg9-f4f3
github.com/strapi/strapi
github.com/strapi/strapi/commit/41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb
github.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3
nvd.nist.gov/vuln/detail/CVE-2025-25298

Code Behaviors & Features

Detect and mitigate CVE-2025-25298 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →