CVE-2025-22234

CWE-2086 documents6 sources
Severity
5.3MEDIUM
EPSS
0.0%
top 98.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Spring Spring Security
Timeline
PublishedJan 22

Description

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5spring/spring_security7 versions+6

🔴Vulnerability Details

3
OSV
Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide2026-01-22
CVEList
Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation2026-01-22
GHSA
Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide2026-01-22

📋Vendor Advisories

1
Red Hat
org.springframework.security/spring-security-core: Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation2026-01-22

🕵️Threat Intelligence

1
Wiz
CVE-2025-22234 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-22234 (MEDIUM CVSS 5.3) | The fix applied in CVE-2025-22228 i | cvebase.io