Password Validation Flaw in Spring Framework Affects BCryptPasswordEncoder
CVE-2025-22228

7.4HIGH

Key Information:

Vendor: Spring
Status: Spring Security
Vendor: CVE Published:; 20 March 2025

What is CVE-2025-22228?

A vulnerability exists in the BCryptPasswordEncoder component of the Spring Framework that can lead to improper password validation. Specifically, the method BCryptPasswordEncoder.matches(CharSequence, String) may incorrectly return true for passwords longer than 72 characters if the first 72 characters match. This flaw could potentially grant unauthorized access, allowing attackers to exploit the weakness in password checks and compromise user accounts.

Affected Version(s)

Spring Security 5.7.x

Spring Security 5.7.x < 5.7.16

Spring Security 5.8.x < 5.8.18

References

https://spring.io/security/cve-2025-22228

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Jan 2, 2025