CVE-2025-22228
Published: 20 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-22228 is a vulnerability in the BCryptPasswordEncoder.matches(CharSequence, String) method within Spring Security, where the function incorrectly returns true for passwords longer than 72 characters if the first 72 characters match the stored hash. This flaw, classified under CWE-287 (Improper Authentication), affects applications using this password encoder for authentication. It was published on 2025-03-20 with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to potential impacts on confidentiality and integrity.
Remote unauthenticated attackers (PR:N) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H). By submitting a crafted password that matches only the first 72 characters of the legitimate password, an attacker can bypass authentication checks, gaining unauthorized access to protected resources and potentially leading to high confidentiality and integrity impacts without affecting availability.
Mitigation guidance is provided in the official Spring Security advisory at https://spring.io/security/cve-2025-22228 and a related NetApp advisory at https://security.netapp.com/advisory/ntap-20250425-0009/. Security practitioners should consult these for patching instructions, upgrade recommendations, or workarounds specific to affected Spring versions and dependent products.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote authentication bypass in Spring Security's password encoder used by public-facing applications, directly enabling exploitation of public-facing applications for unauthorized access.