Spring Security – BCrypt Password Encoder maximum password length breaks...

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

Basic Information

ID CVE-2025-22234

Source vmware

Published Jan 22, 2026 at 21:02

Modified Jan 22, 2026 at 21:27

Affected Product

Vendor Spring

Product Spring Security

Version 5.7.16

Affected Versions Spring Spring Security 5.7.16
Spring Spring Security 5.8.18
Spring Spring Security 6.0.16
Spring Spring Security 6.1.14
Spring Spring Security 6.2.10
Spring Spring Security 6.3.8
Spring Spring Security 6.4.4

CWE Classification

CWE-208

References

spring.io /security/cve-2025-22234/

{
    "lastseen": "",
    "description": "The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.",
    "published": "2026-01-22T21:02:23.992Z",
    "modified": "2026-01-22T21:27:13.558Z",
    "type": "cve",
    "title": "Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2025-22234/",
    "id": "CVE-2025-22234",
    "bulletinFamily": "",
    "cwe": [
        "CWE-208"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Security 5.7.16\nSpring Spring Security 5.8.18\nSpring Spring Security 6.0.16\nSpring Spring Security 6.1.14\nSpring Spring Security 6.2.10\nSpring Spring Security 6.3.8\nSpring Spring Security 6.4.4",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Security",
    "version": "5.7.16",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring Security – BCrypt Password Encoder maximum password length breaks timing attack mitigation_CVE-2025-22234