CVE-2025-22228 — Spring Security Does Not Enforce Password Length

Description

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

How to fix CVE-2025-22228

To remediate CVE-2025-22228, upgrade the affected package to a fixed version below.

Maven/org.springframework.security:spring-security-crypto—upgrade to 6.3.8 or later

Is CVE-2025-22228 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.3.0, < 6.3.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-22228
PATCHgithub.com/spring-projects/spring-security
WEBgithub.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3
WEBsecurity.netapp.com/advisory/ntap-20250425-0009