CVE-2025-22234

Summary

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

Affected Software

VendorProductVersion RangeStatus
SpringSpring Security5.7.16affected
SpringSpring Security5.8.18affected
SpringSpring Security6.0.16affected
SpringSpring Security6.1.14affected
SpringSpring Security6.2.10affected
SpringSpring Security6.3.8affected
SpringSpring Security6.4.4affected

Weaknesses

  • CWE-208: CWE-208 Timing Descrepency

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References