{ "schema_version": "1.4.0", "id": "GHSA-mg83-c7gq-rv5c", "modified": "2025-04-26T00:30:24Z", "published": "2025-03-20T06:31:09Z", "aliases": [ "CVE-2025-22228" ], "summary": "Spring Security Does Not Enforce Password Length", "details": "BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-crypto" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.3.0" }, { "fixed": "6.3.8" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-crypto" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.4.0" }, { "fixed": "6.4.4" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-crypto" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.2.0" }, { "fixed": "6.2.10" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 6.2.9" } }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-crypto" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.1.0" }, { "fixed": "6.1.14" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 6.1.13" } }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-crypto" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.0.16" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 6.0.15" } }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-crypto" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.8.0" }, { "fixed": "5.8.18" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 5.8.17" } }, { "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-crypto" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.7.16" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 5.7.15" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228" }, { "type": "WEB", "url": "https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3" }, { "type": "PACKAGE", "url": "https://github.com/spring-projects/spring-security" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250425-0009" }, { "type": "WEB", "url": "https://spring.io/security/cve-2025-22228" } ], "database_specific": { "cwe_ids": [ "CWE-287", "CWE-521" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-20T18:19:20Z", "nvd_published_at": "2025-03-20T06:15:23Z" } }