Authentication Bypass by Primary Weakness in org.springframework.security:spring-security-crypto | CVE-2025-22228

Q: How to fix?

Upgrade org.springframework.security:spring-security-crypto to version 6.3.8, 6.4.4 or higher.

Introduced: 19 Mar 2025

NewCVE-2025-22228 (opens in a new tab) CWE-305 (opens in a new tab)

How to fix?

Upgrade org.springframework.security:spring-security-crypto to version 6.3.8, 6.4.4 or higher.

Overview

org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the BCryptPasswordEncoder.matches() function, which only takes the first 72 characters for comparison. Passwords longer than this will incorrectly return true when compared against other strings sharing the same first 72 characters, making them easier to brute force.

Note: Patches have also been issued for older versions of Enterprise Support packages.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
High
Integrity (SI)
High
Availability (SA)
None

Authentication Bypass by Primary Weakness Affecting org.springframework.security:spring-security-crypto package, versions [,6.3.8)[6.4.0,6.4.4)

Severity

Do your applications use this vulnerable package?

Introduced: 19 Mar 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk