Timing Attack Vulnerability in DaoAuthenticationProvider by Spring
CVE-2025-22234

5.3MEDIUM

Key Information:

Vendor

Spring

Status
Spring Security
Vendor
CVE Published:
22 January 2026

Badges

📰 News Worthy

What is CVE-2025-22234?

A vulnerability exists in the DaoAuthenticationProvider of Spring Security, where a fix for a previous issue unintentionally disabled the timing attack mitigation feature. This flaw could allow attackers to exploit response-time differences to infer valid usernames and potentially other authentication behavior, particularly under specific configurations. It is crucial for users of affected versions to apply necessary updates to mitigate the risks associated with this vulnerability.

Affected Version(s)

Spring Security 5.7.16

Spring Security 5.7.16

Spring Security 5.8.18

News Articles

favicon imageGBHackers News

Spring Security Vulnerability Exposes Valid Usernames to Attackers

A newly identified security vulnerability, CVE-2025-22234, has exposed a critical weakness in the widely-used Spring Security framework.

References

https://spring.io/security/cve-2025-22234/
vendor-advisory

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 📰

    First article discovered by GBHackers News

  • Vulnerability Reserved

Credit

Jonas Robl
.