CVE-2025-22228: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Spring Security's BCryptPasswordEncoder component, identified as CVE-2025-22228. The vulnerability affects multiple versions of Spring Security from 5.7.0 through 6.4.3. The issue was identified and responsibly reported by Lars Bruun-Hansen. The vulnerability was disclosed on March 19, 2025, and received a CVSS v3.1 base score of 7.4 (HIGH) (Spring Security, NVD).

The vulnerability exists in the BCryptPasswordEncoder.matches(CharSequence,String) method, which incorrectly returns true for passwords larger than 72 characters as long as the first 72 characters are the same. This is classified as CWE-287 (Improper Authentication). The vulnerability has received a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network accessibility with high attack complexity, no privileges required, and potential for high confidentiality and integrity impact (NVD, Spring Security).

The vulnerability could lead to authentication bypass scenarios where attackers could potentially gain unauthorized access by exploiting the password length validation flaw. The CVSS score of 7.4 (HIGH) indicates serious potential consequences for system security, particularly affecting confidentiality and integrity aspects of the system (Spring Security).

Users of affected versions should upgrade to the corresponding fixed versions: 5.7.16 (Enterprise), 5.8.18 (Enterprise), 6.0.16 (Enterprise), 6.1.14 (Enterprise), 6.2.10 (Enterprise), 6.3.8 (OSS), or 6.4.4 (OSS). Commercial customers using Spring Boot 2.7, 3.0, 3.1, or 3.2 can update to Spring Boot 2.7.24.1, 3.0.19.1, 3.1.15.1, or 3.2.13.1 respectively to receive the corresponding Security releases (Spring Security, ASEC).