CVE-2025-22234 - Vulnerability Details - OpenCVE

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Spring	Spring

No data.

No data.

References

Link	Providers
https://spring.io/security/cve-2025-22234/

History

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Spring Spring spring
Vendors & Products		Spring Spring spring

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.
Title		Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation
Weaknesses		CWE-208
References		https://spring.io/security/cve-2025-22234/
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-01-22T21:02:23.992Z

Updated: 2026-01-22T21:27:13.558Z

Reserved: 2025-01-02T04:29:59.191Z

Link: CVE-2025-22234

Vulnrichment

Updated: 2026-01-22T21:27:08.374Z

NVD

Status : Received

Published: 2026-01-22T21:15:49.420

Modified: 2026-01-22T21:15:49.420

Link: CVE-2025-22234

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-22234", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2025-01-02T04:29:59.191Z", "datePublished": "2026-01-22T21:02:23.992Z", "dateUpdated": "2026-01-22T21:27:13.558Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://spring.io/projects/spring-security", "defaultStatus": "affected", "product": "Spring Security", "vendor": "Spring", "versions": [{"status": "affected", "version": "5.7.16", "versionType": "semver"}, {"status": "affected", "version": "5.8.18", "versionType": "semver"}, {"status": "affected", "version": "6.0.16", "versionType": "semver"}, {"status": "affected", "version": "6.1.14", "versionType": "semver"}, {"status": "affected", "version": "6.2.10", "versionType": "semver"}, {"status": "affected", "version": "6.3.8", "versionType": "semver"}, {"status": "affected", "version": "6.4.4", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Jonas Robl"}], "datePublic": "2025-04-25T15:43:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.</p>"}], "value": "The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "description": "CWE-208 Timing Descrepency", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-01-22T21:02:23.992Z"}, "references": [{"name": "Spring Security Advisory: CVE-2025-22234", "tags": ["vendor-advisory"], "url": "https://spring.io/security/cve-2025-22234/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).</p>"}], "value": "Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line)."}], "source": {"discovery": "UNKNOWN"}, "title": "Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T21:27:06.559653Z", "id": "CVE-2025-22234", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:27:13.558Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22234", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T21:27:06.559653Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:27:08.374Z"}}], "cna": {"title": "Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Jonas Robl"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.16", "versionType": "semver"}, {"status": "affected", "version": "5.8.18", "versionType": "semver"}, {"status": "affected", "version": "6.0.16", "versionType": "semver"}, {"status": "affected", "version": "6.1.14", "versionType": "semver"}, {"status": "affected", "version": "6.2.10", "versionType": "semver"}, {"status": "affected", "version": "6.3.8", "versionType": "semver"}, {"status": "affected", "version": "6.4.4", "versionType": "semver"}], "collectionURL": "https://spring.io/projects/spring-security", "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).", "supportingMedia": [{"type": "text/html", "value": "<p>Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).</p>", "base64": false}]}], "datePublic": "2025-04-25T15:43:00.000Z", "references": [{"url": "https://spring.io/security/cve-2025-22234/", "name": "Spring Security Advisory: CVE-2025-22234", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.", "supportingMedia": [{"type": "text/html", "value": "<p>The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Timing Descrepency"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-01-22T21:02:23.992Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22234", "state": "PUBLISHED", "dateUpdated": "2026-01-22T21:27:13.558Z", "dateReserved": "2025-01-02T04:29:59.191Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-01-22T21:02:23.992Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}