CVE-2025-22228
HIGHSpring Security Crypto 6.3.0-6.3.7 and Spring Security 5.7.x-6.4.x - Improper Authentication via BCryptPasswordEncoder
Title source: llmDescription
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
References (2)
Core 2
Core References
Vendor Advisory
https://spring.io/security/cve-2025-22228
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250425-0009/
Scores
CVSS v3
7.4
EPSS
0.0052
EPSS Percentile
40.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-287
Status
published
Products (8)
org.springframework.security/spring-security-crypto
6.3.0 - 6.3.8Maven
Spring/Spring Security
5.7.x - 5.7.16
Spring/Spring Security
5.8.x - 5.8.18
Spring/Spring Security
6.0.x - 6.0.16
Spring/Spring Security
6.1.x - 6.1.14
Spring/Spring Security
6.2.x - 6.2.10
Spring/Spring Security
6.3.x - 6.3.8
Spring/Spring Security
6.4.x - 6.4.4
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026