A recently disclosed vulnerability in Spring Security’s authentication mechanism (CVE-2025-22234) allows attackers to infer valid usernames by analyzing login response times.
The flaw, rated low risk (CVSSv4.0: 1.7), stems from a regression introduced in patches for a prior BCryptPasswordEncoder issue (CVE-2025-22228), which inadvertently disabled timing attack mitigations in the DaoAuthenticationProvider.
Technical Overview
The vulnerability affects Spring Security’s spring-security-crypto module when using BCryptPasswordEncoder with passwords exceeding 72 characters.
Prior fixes for CVE-2025-22228 modified the encoder to throw exceptions for overly long passwords, altering exception-handling behavior and exposing differences in processing valid versus invalid usernames.
Mechanism of Exploitation:
- Valid Usernames: Trigger a full password hashing process, resulting in longer response times.
- Invalid Usernames: Skip password checks, returning faster responses.
- Mitigation Bypass: The patch for CVE-2025-22228 disrupted Spring Security’s default behavior of performing uniform password checks regardless of username validity, reintroducing measurable timing discrepancies.
Risk Assessment
| Factor | Details |
|---|---|
| CVSSv4.0 Score | 1.7 (Low) |
| Exploit Vector | Network-based, non-authenticated |
| Impact | Information exposure (username validation) |
| Patch Availability | Yes (Fixed in NES versions) |
| Affected Versions | 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, 6.3.8, 6.4.4 |
| Fixed Versions | 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9 (OSS), 6.4.5 (OSS) |
Affected Components and Patches
Spring Security versions listed below require immediate updates:
| Affected Version | Fixed Version | Availability |
|---|---|---|
| 5.7.16 | 5.7.17 | Enterprise Support Only |
| 5.8.18 | 5.8.19 | Enterprise Support Only |
| 6.0.16 | 6.0.17 | Enterprise Support Only |
| 6.1.14 | 6.1.15 | Enterprise Support Only |
| 6.2.10 | 6.2.11 | Enterprise Support Only |
| 6.3.8 | 6.3.9 | OSS |
| 6.4.4 | 6.4.5 | OSS |
Open-source users must upgrade to 6.3.9 or 6.4.5, while enterprise editions require vendor-supported patches.
Mitigation Steps
- Upgrade Dependencies: xml
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-crypto</artifactId> <version>6.4.5</version> <!-- Example fixed version --> </dependency> - Validate Password Length: Ensure passwords do not exceed 72 characters when using
BCryptPasswordEncoder. - Monitor Authentication Logs: Watch for abnormal login attempts targeting long passwords.
- Commercial Support: Organizations using end-of-life (EOL) versions should consider solutions like HeroDevs’ Never-Ending Support (NES).
While CVE-2025-22234 poses a low immediate risk, it highlights the cascading impact of security patches in complex frameworks.
Developers must prioritize updating to fixed versions and rigorously test authentication flows for timing inconsistencies.
Spring Security users on community-supported releases have accessible fixes, but enterprises relying on older branches face additional challenges, underscoring the importance of long-term support strategies.
Reported by Jonas Robl and addressed by the Spring Security team.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaw, rated low risk (CVSSv4.0: 1.7), stems from a regression introduced in patches for a prior BCryptPasswordEncoder issue.){kind=link}