Password Validation Flaw in Spring Framework Affects BCryptPasswordEncoder
CVE-2025-22228

7.4HIGH

Key Information:

Vendor
Spring
Status
Spring Security
Vendor
CVE Published:
20 March 2025

Summary

A vulnerability exists in the BCryptPasswordEncoder component of the Spring Framework that can lead to improper password validation. Specifically, the method BCryptPasswordEncoder.matches(CharSequence, String) may incorrectly return true for passwords longer than 72 characters if the first 72 characters match. This flaw could potentially grant unauthorized access, allowing attackers to exploit the weakness in password checks and compromise user accounts.

Affected Version(s)

Spring Security 5.7.x

Spring Security 5.7.x < 5.7.16

Spring Security 5.8.x < 5.8.18

References

https://spring.io/security/cve-2025-22228

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-22228 : Password Validation Flaw in Spring Framework Affects BCryptPasswordEncoder | SecurityVulnerability.io