Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreThe fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider
.
Spring Security:
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s) | Fix version | Availability |
---|---|---|
5.7.16 | 5.7.17 | Enterprise Support Only |
5.8.18 | 5.8.19 | Enterprise Support Only |
6.0.16 | 6.0.17 | Enterprise Support Only |
6.1.14 | 6.1.15 | Enterprise Support Only |
6.2.10 | 6.2.11 | Enterprise Support Only |
6.3.8 | 6.3.9 | OSS |
6.4.4 | 6.4.5 | OSS |
The issue was identified and responsibly reported by Jonas Robl ([email protected]).
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy