18 matches found
Improper Password Length Validation
@strapi/core is vulnerable to improper password length validation. The vulnerability is due to the lack of enforcing a maximum password length when using bcryptjs, which truncates passwords beyond 72 bytes, allowing an attacker to authenticate using only the first 72 bytes of an overlong password...
Malicious Package
Overview bcryptjs-nodejs is a malicious package. This package contains malicious code associated with a social engineering campaign called "Contagious Interview." The attackers target developers through fake job interviews or coding test assignments that require the installation of this package...
EUVD-2025-37867
Malicious code in bcryptjs-node-js npm...
MAL-2025-49358 Malicious code in bcryptjs-node-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60f621b58cc468b09e5963a64bef46446818cfa742ca51366a9e256bdb6299b8 The package bcryptjs-node-js was found to contain malicious code. Source: ghsa-malware 3b410282355b8584d4b9c012154aed901dfd650f212d1a2a942d901ae693f3...
Malicious code in bcryptjs-node-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60f621b58cc468b09e5963a64bef46446818cfa742ca51366a9e256bdb6299b8 The package bcryptjs-node-js was found to contain malicious code. Source: ghsa-malware 3b410282355b8584d4b9c012154aed901dfd650f212d1a2a942d901ae693f3...
MAL-2025-49357 Malicious code in bcryptjs-node (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0be16faac6783f82014ca8cf99ad85fccf1d5e8a161d5b601a50ae9d6376727 The package bcryptjs-node was found to contain malicious code. Source: ghsa-malware 9ed37910e4f94c2d5eb3552347636ce0b38ce92c42cb7abf643ca2cffd60e8af...
Malicious code in bcryptjs-node (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0be16faac6783f82014ca8cf99ad85fccf1d5e8a161d5b601a50ae9d6376727 The package bcryptjs-node was found to contain malicious code. Source: ghsa-malware 9ed37910e4f94c2d5eb3552347636ce0b38ce92c42cb7abf643ca2cffd60e8af...
Malicious Package
Overview bcryptjs-node is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
EUVD-2025-37868
Malicious code in bcryptjs-node npm...
CVE-2025-25298
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account...
EUVD-2025-34776
Strapi Password Hashing Missing Maximum Password Length Validation...
GHSA-2CJV-6WG9-F4F3 Strapi Password Hashing is Missing Maximum Password Length Validation
Summary Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation. POC Create an admin user with a passwo...
CVE-2025-25298
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account...
CVE-2025-25298
CVE-2025-25298 concerns Strapi’s @strapi/core up to v5.10.3, where bcryptjs-based password hashing does not enforce a maximum password length. Passwords longer than 72 bytes are silently truncated by bcryptjs, allowing a user to register with an overlong password and authenticate using only the f...
CVE-2025-25298 Missing Maximum Password Length Validation in Strapi Password Hashing
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account...
CVE-2025-25298 Missing Maximum Password Length Validation in Strapi Password Hashing
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account...
CVE-2025-25298 Missing Maximum Password Length Validation in Strapi Password Hashing
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account...
Strapi 安全漏洞
Strapi is an open source content management system CMS from the French strapi community. A security vulnerability exists in Strapi versions prior to 5.10.3 that stems from not enforcing the maximum password length for bcryptjs password hashes, which could result in passwords being silently...