Improper Password Length Validation

@strapi/core is vulnerable to improper password length validation. The vulnerability is due to the lack of enforcing a maximum password length when using bcryptjs, which truncates passwords beyond 72 bytes, allowing an attacker to authenticate using only the first 72 bytes of an overlong password...

@avorati/strapi-plugin-preview (=1.0.1), @futurebrand/helpers-strapi (>=2.0.2 <=2.5.4) +8 more potentially affected by CVE-2025-53092 via @strapi/core (>=0.0.0-experimental.a13c58eec89ab119f0e381fb79c0252979e9c125 <=5.1.1)

@strapi/core NPM version =0.0.0-experimental.a13c58eec89ab119f0e381fb79c0252979e9c125, =2.0.2, =0.0.1, =0.0.0-experimental.0af49f5c5ec496b0fad61ac9bfd4d0127b89d8d3, =5.19.0 - custom-strapi-plugin-socket =1.0.2 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2025-53092 Source advisory:...

@jhoward1994/strapi-plugin-ckeditor (>=0.0.1 <=0.0.1-rc5), @strapi/admin (=0.0.0-experimental.6dbac0c205b0f8495781db5706c18cac1a62e62b) +3 more potentially affected by CVE-2025-25298 via @strapi/core (>=0.0.0-experimental.a13c58eec89ab119f0e381fb79c0252979e9c125 <=5.10.2)

@strapi/core NPM version =0.0.0-experimental.a13c58eec89ab119f0e381fb79c0252979e9c125, =0.0.1, =0.0.0-experimental.0af49f5c5ec496b0fad61ac9bfd4d0127b89d8d3, =5.10.2 - custom-strapi-plugin-socket =1.0.2 Source cves: CVE-2025-25298 Source advisory: OSV:GHSA-2CJV-6WG9-F4F3...

@avorati/strapi-plugin-preview (=1.0.1), @catchmexz/fedin-cms (>=5.30.1 <=5.30.2) +26 more potentially affected by CVE-2024-56143 via @strapi/core (>=5.0.0 <=5.5.1)

@strapi/core NPM version =5.0.0, =5.30.1, =1.0.0, =2.3.1, =2.0.2, =0.1.0, =2.0.0, =1.0.1, =5.0.0, =0.1.0, =0.2.0, =0.5.0 - cypherscan-strapi =0.1.1 - keycloak-auth-plugin =0.0.1 - my-shopify-app-backend =0.1.0 and more Source cves: CVE-2024-56143 Source advisory: OSV:GHSA-495J-H493-42Q2...

Origin Validation Error

Overview @strapi/core is a Core of Strapi Affected versions of this package are vulnerable to Origin Validation Error due to the improper validation of the Origin header in the CORS configuration. An attacker can access sensitive information by hosting a malicious site on a different origin and...

@avorati/strapi-plugin-preview (=1.0.1), @futurebrand/helpers-strapi (>=2.0.2 <=2.5.4) +6 more potentially affected by CVE-2025-53092 via @strapi/core (>=5.0.0-alpha.0 <=5.1.1)

@strapi/core NPM version =5.0.0-alpha.0, =2.0.2, =0.0.1, =5.0.0, =5.19.0 - custom-strapi-plugin-socket =1.0.2 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2025-53092 Source advisory: SNYK:JS-STRAPICORE-13601312...

CVE-2025-25298

Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account...

Authorization Bypass Through User-Controlled Key

Overview @strapi/core is a Core of Strapi Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the lookup operator in the document service due to improper sanitization of query operator for private fields . An attacker can retrieve sensitive...

@avorati/strapi-plugin-preview (=1.0.1), @catchmexz/fedin-cms (>=5.30.1 <=5.30.2) +26 more potentially affected by CVE-2024-56143 via @strapi/core (>=5.0.0 <=5.5.1)

@strapi/core NPM version =5.0.0, =5.30.1, =1.0.0, =2.3.1, =2.0.2, =0.1.0, =2.0.0, =1.0.1, =5.0.0, =0.1.0, =0.2.0, =0.5.0 - cypherscan-strapi =0.1.1 - keycloak-auth-plugin =0.0.1 - my-shopify-app-backend =0.1.0 and more Source cves: CVE-2024-56143 Source advisory: SNYK:JS-STRAPICORE-13601313...

CVE-2025-25298

CVE-2025-25298 concerns Strapi’s @strapi/core up to v5.10.3, where bcryptjs-based password hashing does not enforce a maximum password length. Passwords longer than 72 bytes are silently truncated by bcryptjs, allowing a user to register with an overlong password and authenticate using only the f...

CVE-2025-25298 Missing Maximum Password Length Validation in Strapi Password Hashing

Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account...

CVE-2025-25298 Missing Maximum Password Length Validation in Strapi Password Hashing

Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account...

@avorati/strapi-plugin-preview (=1.0.1), @futurebrand/helpers-strapi (>=2.0.2 <=2.5.4) +8 more potentially affected by CVE-2025-3930 via @strapi/admin (>=5.0.0-alpha.0 <=5.23.6)

@strapi/admin NPM version =5.0.0-alpha.0, =2.0.2, =0.0.1, =5.0.0, =5.0.0, =5.0.0, =5.23.6 - custom-strapi-plugin-socket =1.0.2 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2025-3930 Source advisory: SNYK:JS-STRAPIADMIN-13601310...