Detailed Exploration of CVE-2025-22234
- Affected product: Spring Security
- Affected packages: spring-security-crypto
spring-security-core
- Affected versions:
• 5.7.16 only
• 5.8.16.tuxcare only
• 5.8.16.tuxcare.1 only
• 5.8.16.tuxcare.2 only
• 5.8.18 only
• 6.0.16 only
• 6.1.14 only
• 6.2.10 only
• 6.3.8 only
• 6.4.4 only
- GitHub repository:
• https://github.com/spring-projects/spring-security
- Published packages:
• https://mvnrepository.com/artifact/org.springframework.security/spring-security-crypto
• https://mvnrepository.com/artifact/org.springframework.security/spring-security-core
- Fixed In:ELS for Spring Security v5.8.16.TuxCare.3
Vulnerability Info
This flaw stems from an error introduced in the BCryptPasswordEncoder as a consequence of a patch for CVE-2025-22228. This change inadvertently disrupted the timing attack mitigation previously present in DaoAuthenticationProvider. As a result, a remote attacker can identify by type of exception or different time response whether this username is present or not. This is known as user enumeration — the attacker can build a list of valid usernames.
Once attacker has real usernames, can:
- Perform brute-force attacks
- Launch phishing campaigns
- Exploit password reset or account recovery features
Mitigation
Spring Security 5.8.x is no longer supported by open source community as its End of Life date is 2023-12-31. It simply means that version from that date does not receive any updates to address this issue.
Users of the affected components should apply one of the following mitigations:
- Leverage the TuxCare support partner for Endless Lifecycle Support that extends regular community EoL security support and simply just apply our patches.
- Alternatively take the effort to upgrade to the newer still supported Spring Security open source versions that have integrated fix: 6.3.9 or 6.4.5
Do you need a fix for this vulnerability for any other Spring Security version, please contact us, we are here to help you!
Tech Support
Documentation
Login
Contact Us
