Strapi is an open-source headless CMS. The vulnerability affects the password hashing implementation using bcryptjs, which lacks maximum password length validation. This creates potential vulnerabilities such as authentication bypass and performance degradation.
You're affected if you use Strapi version 5.10.2 or earlier (specifically, before version 5.10.3). Check with: npm ls @strapi/core to verify the installed package version.
Note: This vulnerability does not affect Strapi versions 5.11.0 or later, which have been patched.
Upgrade to Strapi version 5.10.3 or later from the official GitHub repository: https://github.com/strapi/strapi/releases/tag/v5.10.3
- Alternatively, apply immediate mitigations:
- Set a maximum password length validation (72 characters) during password creation and updates for both Admin and U&P users.
- Truncate passwords exceeding 72 bytes on the server before passing them to bcryptjs during login.
- Optionally, issue a warning to users with passwords longer than 72 bytes during login, informing them of truncation.