CVE-2025-22228 – org.springframework.security:spring-security-crypto

Package

Manager: maven
Name: org.springframework.security:spring-security-crypto
Vulnerable Version: >=6.3.0 <6.3.8 || >=6.4.0 <6.4.4 || >=6.2.0 <6.2.10 || >=6.1.0 <6.1.14 || >=6.0.0 <6.0.16 || >=5.8.0 <5.8.18 || >=0 <5.7.16

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00057 pctl0.17716

Details

Spring Security Does Not Enforce Password Length BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

Metadata

Created: 2025-03-20T06:31:09Z
Modified: 2025-04-26T00:30:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-mg83-c7gq-rv5c/GHSA-mg83-c7gq-rv5c.json
CWE IDs: ["CWE-287", "CWE-521"]
Alternative ID: GHSA-mg83-c7gq-rv5c
Finding: F035
Auto approve: 1