CVE-2025-22234 - Vulnerability Details - OpenCVE

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-vqxh-445g-37fc	Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

Fixes

Solution

Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).

Workaround

No workaround given by the vendor.

References

Link	Providers
https://spring.io/security/cve-2025-22234/

History

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.
Title		Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation
Weaknesses		CWE-208
References		https://spring.io/security/cve-2025-22234/
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-01-22T21:02:23.992Z

Updated: 2026-01-22T21:27:13.558Z

Reserved: 2025-01-02T04:29:59.191Z

Link: CVE-2025-22234

Vulnrichment

Updated: 2026-01-22T21:27:08.374Z

NVD

Status : Received

Published: 2026-01-22T21:15:49.420

Modified: 2026-01-22T21:15:49.420

Link: CVE-2025-22234

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-208

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-22234", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2025-01-02T04:29:59.191Z", "datePublished": "2026-01-22T21:02:23.992Z", "dateUpdated": "2026-01-22T21:27:13.558Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://spring.io/projects/spring-security", "defaultStatus": "affected", "product": "Spring Security", "vendor": "Spring", "versions": [{"status": "affected", "version": "5.7.16", "versionType": "semver"}, {"status": "affected", "version": "5.8.18", "versionType": "semver"}, {"status": "affected", "version": "6.0.16", "versionType": "semver"}, {"status": "affected", "version": "6.1.14", "versionType": "semver"}, {"status": "affected", "version": "6.2.10", "versionType": "semver"}, {"status": "affected", "version": "6.3.8", "versionType": "semver"}, {"status": "affected", "version": "6.4.4", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Jonas Robl"}], "datePublic": "2025-04-25T15:43:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.</p>"}], "value": "The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "description": "CWE-208 Timing Descrepency", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-01-22T21:02:23.992Z"}, "references": [{"name": "Spring Security Advisory: CVE-2025-22234", "tags": ["vendor-advisory"], "url": "https://spring.io/security/cve-2025-22234/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).</p>"}], "value": "Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line)."}], "source": {"discovery": "UNKNOWN"}, "title": "Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T21:27:06.559653Z", "id": "CVE-2025-22234", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:27:13.558Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22234", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T21:27:06.559653Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:27:08.374Z"}}], "cna": {"title": "Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Jonas Robl"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.16", "versionType": "semver"}, {"status": "affected", "version": "5.8.18", "versionType": "semver"}, {"status": "affected", "version": "6.0.16", "versionType": "semver"}, {"status": "affected", "version": "6.1.14", "versionType": "semver"}, {"status": "affected", "version": "6.2.10", "versionType": "semver"}, {"status": "affected", "version": "6.3.8", "versionType": "semver"}, {"status": "affected", "version": "6.4.4", "versionType": "semver"}], "collectionURL": "https://spring.io/projects/spring-security", "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).", "supportingMedia": [{"type": "text/html", "value": "<p>Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).</p>", "base64": false}]}], "datePublic": "2025-04-25T15:43:00.000Z", "references": [{"url": "https://spring.io/security/cve-2025-22234/", "name": "Spring Security Advisory: CVE-2025-22234", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.", "supportingMedia": [{"type": "text/html", "value": "<p>The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Timing Descrepency"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-01-22T21:02:23.992Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22234", "state": "PUBLISHED", "dateUpdated": "2026-01-22T21:27:13.558Z", "dateReserved": "2025-01-02T04:29:59.191Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-01-22T21:02:23.992Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}