Listen to this Post
The vulnerability in Strapi stems from its use of the bcryptjs library for password hashing without enforcing a corresponding maximum password length. Bcryptjs has a known technical limitation: it only processes the first 72 bytes of a password input. Any characters beyond this 72-byte boundary are silently ignored during the hash calculation. Strapi’s failure to validate and restrict password length allows a user to set a password of任意 length. During authentication, if a user provides a password longer than 72 bytes, Strapi passes it directly to bcryptjs, which again only hashes the first 72 bytes. This creates a critical flaw where multiple different passwords, all sharing the same first 72 characters, will generate the same password hash and successfully authenticate as the same user. An attacker who knows a user’s first 72 password characters can bypass authentication by appending any suffix, or a user may unknowingly create a weak, truncated hash.
Platform: Strapi
Version: < 4.21.0
Vulnerability: Authentication Bypass
Severity: Critical
date: 2024-10-17
Prediction: Patch 2024-11-15
What Undercode Say:
Simulating the bcryptjs truncation behavior. echo -n "ThisIsA72ByteLongPasswordWhichWillBeFullyUsedByTheHashingFunctio" | wc -c echo -n "ThisIsA72ByteLongPasswordWhichWillBeFullyUsedByTheHashingFunctionAndThisPartIsIgnored" | wc -c
// Example vulnerable code in Strapi (conceptual)
const bcrypt = require('bcryptjs');
const password = userProvidedPassword; // No length check
const isMatch = await bcrypt.compare(password, storedHash); // Truncates internally
Using a long password for testing.
curl -X POST http://localhost:1337/admin/login \
-H "Content-Type: application/json" \
-d '{"password":"A".repeat(85)}'
How Exploit:
1. User sets an 85-character password.
2. Attacker logs in using first 72 characters.
3. Authentication is successful.
4. Hash collision occurs.
Protection from this CVE
1. Enforce 72-character maximum.
2. Server-side password truncation.
3. Input validation on registration.
4. Update to patched version.
Impact:
Authentication Bypass
Performance Degradation
Hash Collision
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
