{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-22234", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2025-01-02T04:29:59.191Z", "datePublished": "2026-01-22T21:02:23.992Z", "dateUpdated": "2026-01-22T21:27:13.558Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://spring.io/projects/spring-security", "defaultStatus": "affected", "product": "Spring Security", "vendor": "Spring", "versions": [{"status": "affected", "version": "5.7.16", "versionType": "semver"}, {"status": "affected", "version": "5.8.18", "versionType": "semver"}, {"status": "affected", "version": "6.0.16", "versionType": "semver"}, {"status": "affected", "version": "6.1.14", "versionType": "semver"}, {"status": "affected", "version": "6.2.10", "versionType": "semver"}, {"status": "affected", "version": "6.3.8", "versionType": "semver"}, {"status": "affected", "version": "6.4.4", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Jonas Robl"}], "datePublic": "2025-04-25T15:43:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.</p>"}], "value": "The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "description": "CWE-208 Timing Descrepency", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-01-22T21:02:23.992Z"}, "references": [{"name": "Spring Security Advisory: CVE-2025-22234", "tags": ["vendor-advisory"], "url": "https://spring.io/security/cve-2025-22234/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).</p>"}], "value": "Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line)."}], "source": {"discovery": "UNKNOWN"}, "title": "Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T21:27:06.559653Z", "id": "CVE-2025-22234", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:27:13.558Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22234", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T21:27:06.559653Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:27:08.374Z"}}], "cna": {"title": "Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Jonas Robl"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.16", "versionType": "semver"}, {"status": "affected", "version": "5.8.18", "versionType": "semver"}, {"status": "affected", "version": "6.0.16", "versionType": "semver"}, {"status": "affected", "version": "6.1.14", "versionType": "semver"}, {"status": "affected", "version": "6.2.10", "versionType": "semver"}, {"status": "affected", "version": "6.3.8", "versionType": "semver"}, {"status": "affected", "version": "6.4.4", "versionType": "semver"}], "collectionURL": "https://spring.io/projects/spring-security", "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).", "supportingMedia": [{"type": "text/html", "value": "<p>Upgrade to a fixed version: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 (depending on your release line).</p>", "base64": false}]}], "datePublic": "2025-04-25T15:43:00.000Z", "references": [{"url": "https://spring.io/security/cve-2025-22234/", "name": "Spring Security Advisory: CVE-2025-22234", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.", "supportingMedia": [{"type": "text/html", "value": "<p>The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Timing Descrepency"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-01-22T21:02:23.992Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22234", "state": "PUBLISHED", "dateUpdated": "2026-01-22T21:27:13.558Z", "dateReserved": "2025-01-02T04:29:59.191Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-01-22T21:02:23.992Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations."}], "id": "CVE-2025-22234", "lastModified": "2026-01-26T15:04:14.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-01-22T21:15:49.420", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2025-22234/"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "org.springframework.security/spring-security-core: Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation", "id": "2432173", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432173"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-208", "details": ["The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-22234", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-01-22T21:02:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22234\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22234\nhttps://github.com/spring-projects/spring-security/commit/c1aa99fdd2113a232986e9c3a44673ae752de840\nhttps://spring.io/security/cve-2025-22234/"], "threat_severity": "Moderate"}