logo

Database

Lack of data validation - Path Traversal In org.springframework.security:spring-security-core

Description

Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-222342. NVD-2025-222343. OSV-2025-222344. GCVE-2025-22234

References

1. https://spring.io/security/cve-2025-22234

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.