CVE-2025-22228

Overview

Spring Security is a powerful authentication and access control framework for Java applications, particularly those built using the Spring Framework. It provides a comprehensive security solution, addressing various concerns such as authentication, authorization, and protection against common security vulnerabilities.

Improper authentication takes place when an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

In this CVE, Spring Security BCryptPasswordEncoder does not enforce maximum password length, BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

This issue affects multiple versions of the org.springframework.security:spring-security-crypto package.

Vulnerability Dossier
CVE ID	CVE-2025-22228
Severity	High: 7.4
CWE-ID and name	CWE-287: Improper Authentication
Affected project	Spring Security
Affected packages	spring-security-crypto
Affected versions	5.6.2 and older, <5.7.0;5.7.15>, <5.8.0;5.8.16>, <6.0.0;6.0.15>, <6.1.0;6.1.13>, <6.2.0;6.2.9>, <6.3.0;6.3.7>, <6.4.0;6.4.3>
NVD publish date	20th of March 2025
TuxCare fix date	26th of March 2025
TuxCare fixed version	5.8.16.tuxcare

Detailed Exploration of CVE-2025-22228

Affected product: Spring Security
Affected packages: spring-security-crypto
Affected versions:
• 5.6.12 and older
• 5.7.0 – 5.7.15
• 5.8.0 – 5.8.17
• 6.0.0 – 6.0.15
• 6.1.0 – 6.1.13
• 6.2.0 – 6.2.9
• 6.3.0 – 6.3.7
• 6.4.0 – 6.4.3
GitHub repository:
• https://github.com/spring-projects/spring-security
Published packages:
• https://mvnrepository.com/artifact/org.springframework.security/spring-security-crypto
Fixed In:ELS for Spring Security v5.8.16.TuxCare

BCrypt-hashed passwords have a maximum length of 72 characters. The hashpw function in the BCrypt class of spring-security-crypto hashes only the first 72 characters of a password. Any password longer than this will only be validated based on its first 72 characters.

After applying the patch, existing passwords exceeding 72 characters need to be reset for proper functioning, as a user with such a password will simply not be able to login. New passwords with lengths exceeding 72 characters are not accepted.

Steps to Reproduce

Applying the test (credit: Joe Grandja) below allows us to test this vulnerability.


@Test
   public void enforcePasswordLength() {
       BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
       String password72chars = "123456789012345678901234567890123456789012345678901234567890123456789012";
       assertThat(encoder.matches(password72chars, encoder.encode(password72chars))).isTrue();
       String password73chars = password72chars.concat("a");
       assertThatIllegalArgumentException()
           .isThrownBy(() -> encoder.matches(password73chars, encoder.encode(password73chars)));
   }

Mitigation

Spring Security 5.8.x is no longer supported by the open-source community, as its End of Life date is 2023-12-31. This simply means that versions from that date do not receive any updates to address this issue.

‍Users of the affected components should apply one of the following mitigations:

Leverage TuxCare’s Endless Lifecycle Support, which extends regular community EOL security support.
Alternatively take the effort to upgrade to the newer still-supported Spring Security open-source versions that have integrated the fix: 6.3.8 or 6.4.4

Do you need a fix for this vulnerability for any other Spring Security version, please contact us, we are here to help you!

Automate your Linux patching while minimizing downtime, staying compliant, ensuring business continuity, and getting all the support you need.

Rebootless Patching

Endless Lifecycle Support

Vulnerability Management

TuxCare for AlmaLinux

Custom Services

Downloadables

Upcoming Webinar

Webinars

Helpful Links

TuxCare Knowledge Hub

Them vs. Us: Rebootless Patching

Who We Serve

CVE-2025-22228

Table of Contents

Follow Us On Social

Overview

Detailed Exploration of CVE-2025-22228

Steps to Reproduce

Mitigation

References

Services

Resources

About us

Contact Us

Rebootless Patching

Endless Lifecycle Support

Vulnerability Management

TuxCare for AlmaLinux

Custom Services

Downloadables

Upcoming Webinar

Webinars

Helpful Links

TuxCare Knowledge Hub

Them vs. Us: Rebootless Patching

Who We Serve

CVE-2025-22228

Table of Contents

Follow Us On Social

Overview

Detailed Exploration of CVE-2025-22228

Steps to Reproduce

Mitigation

References

Join

4,500