Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2025-22234: Spring Security BCryptPasswordEncoder maximum password length breaks timing attack mitigation
Description
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider.
Affected Spring Products and Versions
Spring Security:
- 5.7.16 only
- 5.8.18 only
- 6.0.16 only
- 6.1.14 only
- 6.2.10 only
- 6.3.8 only
- 6.4.4 only
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 5.7.16 | 5.7.17 | Enterprise Support Only |
| 5.8.18 | 5.8.19 | Enterprise Support Only |
| 6.0.16 | 6.0.17 | Enterprise Support Only |
| 6.1.14 | 6.1.15 | Enterprise Support Only |
| 6.2.10 | 6.2.11 | Enterprise Support Only |
| 6.3.8 | 6.3.9 | OSS |
| 6.4.4 | 6.4.5 | OSS |
Credit
The issue was identified and responsibly reported by Jonas Robl ([email protected]).
References
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all