Timing Attack in org.springframework.security:spring-security-crypto | CVE-2025-22234

Q: How to fix?

Upgrade org.springframework.security:spring-security-crypto to version 6.3.9, 6.4.5 or higher.

Introduced: 22 Apr 2025

NewCVE-2025-22234 (opens in a new tab) CWE-208 (opens in a new tab)

How to fix?

Upgrade org.springframework.security:spring-security-crypto to version 6.3.9, 6.4.5 or higher.

Overview

org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security.

Affected versions of this package are vulnerable to Timing Attack due to an unintentional bypass for DaoAuthenticationProvider constant time controls, which was caused by the fix for the password length vulnerability described in (CVE-2025-22228)[https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-9486467].

Note: Patches have also been issued for older versions of Enterprise Support packages.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Timing Attack Affecting org.springframework.security:spring-security-crypto package, versions [6.3.8,6.3.9)[6.4.4,6.4.5)

Severity

Do your applications use this vulnerable package?

Introduced: 22 Apr 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk