Weak Encoding for Password Affecting @strapi/admin package, versions <5.10.3

Q: How to fix?

Upgrade @strapi/admin to version 5.10.3 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-STRAPIADMIN-13601311
published17 Oct 2025
disclosed16 Oct 2025
creditSinan

Report a new vulnerability Found a mistake?

Introduced: 16 Oct 2025

NewCVE-2025-25298 (opens in a new tab) CWE-261 (opens in a new tab)

How to fix?

Upgrade @strapi/admin to version 5.10.3 or higher.

Overview

@strapi/admin is a Strapi Admin

Affected versions of this package are vulnerable to Weak Encoding for Password in to the implementation of password hashing. An attacker can reduce the effective entropy of user passwords and potentially mislead users about the required password length by submitting passwords longer than 72 bytes, which are silently truncated during hashing.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None