CVE-2025-2228: 
WordPress vulnerability analysis and mitigation

BCryptPasswordEncoder in Spring Security contains a vulnerability (CVE-2025-22228) where the matches(CharSequence,String) function incorrectly returns true for passwords larger than 72 characters as long as the first 72 characters are the same. This vulnerability was discovered on March 19, 2025, affecting multiple versions of Spring Security including versions 5.7.0-5.7.15, 5.8.0-5.8.17, 6.0.0-6.0.15, 6.1.0-6.1.13, 6.2.0-6.2.9, 6.3.0-6.3.7, and 6.4.0-6.4.3 (Spring Security).

The vulnerability has been assigned a HIGH severity rating with a CVSS v3.1 score of 7.4. The vulnerability vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating that it can be exploited over the network, requires high attack complexity, needs no privileges, requires no user interaction, and can result in high confidentiality and integrity impact (NVD).

The vulnerability allows attackers to potentially bypass password validation checks when passwords exceed 72 characters, as the system only validates the first 72 characters. This could lead to unauthorized access to accounts if an attacker can exploit this limitation in the password validation mechanism (Spring Security).

Users of affected versions should upgrade to the corresponding fixed versions: 5.7.16 (Enterprise Support), 5.8.18 (Enterprise Support), 6.0.16 (Enterprise Support), 6.1.14 (Enterprise Support), 6.2.10 (Enterprise Support), 6.3.8 (OSS), or 6.4.4 (OSS). The vulnerability was identified and responsibly reported by Lars Bruun-Hansen (Spring Security).