High severity7.4NVD Advisory· Published Mar 20, 2025· Updated Apr 15, 2026
CVE-2025-22228
CVE-2025-22228
Description
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-cryptoMaven | >= 6.3.0, < 6.3.8 | 6.3.8 |
org.springframework.security:spring-security-cryptoMaven | >= 6.4.0, < 6.4.4 | 6.4.4 |
org.springframework.security:spring-security-cryptoMaven | >= 6.2.0, < 6.2.10 | 6.2.10 |
org.springframework.security:spring-security-cryptoMaven | >= 6.1.0, < 6.1.14 | 6.1.14 |
org.springframework.security:spring-security-cryptoMaven | >= 6.0.0, < 6.0.16 | 6.0.16 |
org.springframework.security:spring-security-cryptoMaven | >= 5.8.0, < 5.8.18 | 5.8.18 |
org.springframework.security:spring-security-cryptoMaven | < 5.7.16 | 5.7.16 |
Patches
146f0dc6dfc84Enforce BCrypt password length
2 files changed · +13 −0
crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java+3 −0 modified@@ -611,6 +611,9 @@ private static String hashpw(byte passwordb[], String salt, boolean for_check) { int rounds, off; StringBuilder rs = new StringBuilder(); + if (passwordb.length > 72) { + throw new IllegalArgumentException("password cannot be more than 72 bytes"); + } if (salt == null) { throw new IllegalArgumentException("salt cannot be null"); }
crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java+10 −0 modified@@ -222,4 +222,14 @@ public void checkWhenNoRoundsThenTrue() { assertThat(encoder.matches("wrong", "$2a$00$9N8N35BVs5TLqGL3pspAte5OWWA2a2aZIs.EGp7At7txYakFERMue")).isFalse(); } + @Test + public void enforcePasswordLength() { + BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); + String password72chars = "123456789012345678901234567890123456789012345678901234567890123456789012"; + assertThat(encoder.matches(password72chars, encoder.encode(password72chars))).isTrue(); + String password73chars = password72chars.concat("a"); + assertThatIllegalArgumentException() + .isThrownBy(() -> encoder.matches(password73chars, encoder.encode(password73chars))); + } + }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mg83-c7gq-rv5cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-22228ghsaADVISORY
- github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3ghsaWEB
- security.netapp.com/advisory/ntap-20250425-0009ghsaWEB
- spring.io/security/cve-2025-22228nvdWEB
- security.netapp.com/advisory/ntap-20250425-0009/nvd
News mentions
0No linked articles in our index yet.