Security features bypass in Spring Security - CVE-2025-22228
Published: March 19, 2025
Vulnerability identifier: #VU105881
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-22228
CWE-ID: CWE-254
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: VMware, Inc
Affected software:
Spring Security
Spring Security
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to BCryptPasswordEncoder does not properly enforce maximum password length and will return "true" for passwords larger than 72 characters as long as the first 72 characters are the same. This can be used set weak passwords that can be easily brute-forced.
How to mitigate CVE-2025-22228
Install updates from vendor's website.