Strapi Password Length Validation Vulnerability in @strapi/core Package

A vulnerability exists in the Strapi @strapi/core package, prior to version 5.10.3, where the password hashing process using bcryptjs does not limit password length. Bcryptjs truncates passwords longer than 72 bytes, leading to potential authentication bypass and performance issues. Users can create accounts with overly long passwords, but only the first 72 bytes are used for authentication, which could mislead users about password requirements. Additionally, excessively long passwords can slow down server performance.

Impact

This vulnerability can cause authentication bypass, allowing users to log in with truncated password hashes, and may degrade server performance due to processing long passwords.

Reproduction

To reproduce this vulnerability, create an admin user with a password longer than 72 characters. Then, log in using only the first 72 characters of the password. Authentication will succeed, demonstrating the issue.

Remediation

Users should update to Strapi version 5.10.3 or later, where this vulnerability is fixed.