CVE-2025-22228

CWE-287 — Improper Authentication CWE-521 CWE-863 — Incorrect Authorization CWE-2089 documents7 sources

Severity

7.4HIGH

EPSS

0.0%

top 90.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Security

Timeline

PublishedMar 20

Latest updateJan 22

Description

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5spring/spring_security5.7.x — 5.7.16+13

▶Mavenorg.springframework.security:spring-security-crypto6.3.0 — 6.3.8+6

🔴Vulnerability Details

GHSA

Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide↗2026-01-22

▶

GHSA

Spring Security Does Not Enforce Password Length↗2025-03-20

▶

CVEList

CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length↗2025-03-20

▶

OSV

Spring Security Does Not Enforce Password Length↗2025-03-20

▶

📋Vendor Advisories

Red Hat

org.springframework.security/spring-security-core: Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation↗2026-01-22

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Common Core (Spring Security) — CVE-2025-22228↗2026-01-15

▶

Red Hat

spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length↗2025-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2025-22234 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶