CVE-2025-22228

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-22228

CGA ID

CGA-2xfc-rx9g-78jp

Severity

Unknown

Summary

Spring Security Does Not Enforce Password Length

Description

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

References

https://images.chainguard.dev/security/CGA-2xfc-rx9g-78jp
https://github.com/advisories/GHSA-mg83-c7gq-rv5c
https://nvd.nist.gov/vuln/detail/CVE-2025-22228
https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3
https://github.com/spring-projects/spring-security
https://spring.io/security/cve-2025-22228

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CVE-2025-22228

Severity

Summary

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources