By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2025-22228

Authorization Bypass

Affects

Spring Security

<=5.6.12, >=5.7.0 <5.7.16, >=5.8.0 <5.8.18, >=6.0.0 <=6.0.16, >=6.1.0 <6.1.14, >=6.2.0 <6.2.10, >=6.3.0 <6.3.8, >=6.4.0 <6.4.4

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

‍

A Authentication Bypass vulnerability (CVE-2025-22228) has been identified in spring-security-crypto from Spring Security, which allows Bcrypt encoded passwords to match for passwords larger than 72 characters as long as the first 72 characters match.

‍

Per Common Attack Pattern Enumeration and Classification CAPEC-115: Authentication Bypass is when an attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

‍

This issue affects multiple versions of Spring Security’s spring-security-crypto package.

‍

Details

Module Info

Product: Spring Security
Affected packages: spring-security-crypto
Affected versions: <=5.6.12, >=5.7.0 <5.7.16, >=5.8.0 <5.8.18, >=6.0.0 <=6.0.16, >=6.1.0 <6.1.14, >=6.2.0 <6.2.10, >=6.3.0 <6.3.8, >=6.4.0 <6.4.4
GitHub repository: https://github.com/spring-projects/spring-security
Published packages: https://central.sonatype.com/artifact/org.springframework.security/spring-security-crypto
Package manager: Maven
Fixed In: NES for Spring Security v4.2.24, v5.7.17, and v5.8.20

‍

Vulnerability Info

BCrypt-hashed passwords have a maximum length of 72 characters. The hashpw function in the BCrypt class of spring-security-crypto hashes only the first 72 characters of a password. Any password longer than this will only be validated based on its first 72 characters.

‍

Note that passwords exceeding 72 characters will need to be reset to function correctly.

‍

Steps To Reproduce

@Test
public void enforcePasswordLength() {
    BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
    String password73chars = "123456789012345678901234567890123456789012345678901234567890123456789012a";
    assertThatIllegalArgumentException().isThrownBy(() ->
        encoder.matches(password73chars.concat("a"), encoder.encode(password73chars)));
}

‍

The test above demonstrates the security vulnerability. It will fail on vulnerable versions and pass on patched versions. In vulnerable versions, encoder.matches returns true, indicating that only the first 72 characters are being checked.

‍

Credit

Lars Bruun-Hansen (lbruun@apache.org)

Mitigation

Spring Security 4 and 5 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to supported versions of Spring Security
Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍