• Security risk: Medium critical
  • Vulnerability: bcrypt has a maximum password length


The secret encryption key processes only up to the first 72 characters of the password. A password that contains 72 characters would be encrypted the same as another password of (73-_n_) characters if the first 72 are identical. 

Reported by

Question on http://security.stackexchange.com.

Versions affected

loopback 2.29.1 and earlier


Password will be validated for new accounts and/or existing users who try to reset their password. A password that exceeds 72 characters will be rejected. 

LoopBack version 2.30.0 fixes this issue. Ensure that your application’s package.json has the following line:

Ensure that your application’s package.json has the following line:

"dependencies": {
   "loopback": "^2.30.0",

Then upgrade your project dependencies to use the latest version :

$ cd <app-root>
$ npm update