CVE-2025-22228
Aliases:GHSA-mg83-c7gq-rv5c
Advisory lineage Upstream: 0 Downstream: 7
Deferred
Published: 20 Mar 2025, 05:49
Last modified:26 Feb 2026, 19:09
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.4 HIGH
v3.1 (cve.org)
EPSS Score
0.07% LOW
0% probability -0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
20 Mar 2025, 05:49
Published
Vulnerability first disclosed
26 Feb 2026, 19:09
Last Modified
Vulnerability information updated
Description
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
CVSS Metrics
- v3.1•HIGH•Score: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Trends
Current EPSS score: 0.07%• Percentile: 21%
Techniques & Countermeasures
- CWE-287•Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Systems
- org.springframework.security•spring-security-crypto
≥ 6.3.0, < 6.3.8 | ≥ 6.4.0, < 6.4.4 | ≥ 6.2.0, < 6.2.10 | ≥ 6.1.0, < 6.1.14 | ≥ 6.0.0, < 6.0.16 | ≥ 5.8.0, < 5.8.18 | < 5.7.16
- spring•spring security
≥ 5.7.x, < 5.7.16 | ≥ 5.8.x, < 5.8.18 | ≥ 6.0.x, < 6.0.16 | ≥ 6.1.x, < 6.1.14 | ≥ 6.2.x, < 6.2.10 | ≥ 6.3.x, < 6.3.8 | ≥ 6.4.x, < 6.4.4
References (6)
- https://spring.io/security/cve-2025-22228
- https://security.netapp.com/advisory/ntap-20250425-0009/
- https://nvd.nist.gov/vuln/detail/CVE-2025-22228
- https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3
- https://github.com/spring-projects/spring-security
- https://security.netapp.com/advisory/ntap-20250425-0009