Capgo - Denial of Service via Improper Password Policy Length Validation

An authenticated organization administrator navigates to the Organization Security Settings, enables the "Enforce Password Policy" toggle, and sets the Minimum Password Length field to an extremely large numeric value (e.g., 1000000000000000). The application fails to validate this input on the server side, so the impossible policy is saved and immediately enforced. All organization members are then required to comply with the unrealistic minimum length, making it impossible for any user to create or change a password. This results in a complete organization-wide account lockout and application-level denial of service, as even administrators lose the ability to access the organization [ref_id=1].

The advisory recommends implementing strict maximum limits for password length (e.g., 128 characters), validating policy configuration on the server side, and preventing unrealistic or extreme numeric values before the policy is applied [ref_id=1]. No patch diff is provided in the bundle, so the exact code changes are not visible; however, the remediation guidance makes clear that the fix must add server-side bounds checking to the minimum password length field. Without such validation, any administrator can trivially trigger an organization-wide denial of service.