VYPR
High severity7.4GHSA Advisory· Published Mar 20, 2025· Updated Jun 17, 2026

CVE-2025-22228

CVE-2025-22228

Description

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.security:spring-security-cryptoMaven
>= 6.3.0, < 6.3.86.3.8
org.springframework.security:spring-security-cryptoMaven
>= 6.4.0, < 6.4.46.4.4
org.springframework.security:spring-security-cryptoMaven
>= 6.2.0, < 6.2.106.2.10
org.springframework.security:spring-security-cryptoMaven
>= 6.1.0, < 6.1.146.1.14
org.springframework.security:spring-security-cryptoMaven
>= 6.0.0, < 6.0.166.0.16
org.springframework.security:spring-security-cryptoMaven
>= 5.8.0, < 5.8.185.8.18
org.springframework.security:spring-security-cryptoMaven
< 5.7.165.7.16

Affected products

29

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.