CVE-2025-22228

Summary

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

Affected Software

VendorProductVersion RangeStatus
SpringSpring Security5.7.x < 5.7.16affected
SpringSpring Security5.8.x < 5.8.18affected
SpringSpring Security6.0.x < 6.0.16affected
SpringSpring Security6.1.x < 6.1.14affected
SpringSpring Security6.2.x < 6.2.10affected
SpringSpring Security6.3.x < 6.3.8affected
SpringSpring Security6.4.x < 6.4.4affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References