.avif)
View all vulnerabilities
CVE-2025-22228
Spring Security Does Not Enforce Password Length
Description
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgradingVulnerability Details
Score
7.4
Score Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Versions
org.springframework.security:spring-security-crypto >= 6.3.0 < 6.3.8; org.springframework.security:spring-security-crypto >= 6.4.0 < 6.4.4; org.springframework.security:spring-security-crypto >= 6.2.0 < 6.2.10; org.springframework.security:spring-security-crypto >= 6.1.0 < 6.1.14; org.springframework.security:spring-security-crypto >= 6.0.0 < 6.0.16; org.springframework.security:spring-security-crypto >= 5.8.0 < 5.8.18; org.springframework.security:spring-security-crypto < 5.7.16
Severity
High
High
High
Ecosystem
Java
Publish Date
March 20, 2025
Modified Date
April 25, 2025