High severity7.4GHSA Advisory· Published Mar 20, 2025· Updated Jun 17, 2026
CVE-2025-22228
CVE-2025-22228
Description
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-cryptoMaven | >= 6.3.0, < 6.3.8 | 6.3.8 |
org.springframework.security:spring-security-cryptoMaven | >= 6.4.0, < 6.4.4 | 6.4.4 |
org.springframework.security:spring-security-cryptoMaven | >= 6.2.0, < 6.2.10 | 6.2.10 |
org.springframework.security:spring-security-cryptoMaven | >= 6.1.0, < 6.1.14 | 6.1.14 |
org.springframework.security:spring-security-cryptoMaven | >= 6.0.0, < 6.0.16 | 6.0.16 |
org.springframework.security:spring-security-cryptoMaven | >= 5.8.0, < 5.8.18 | 5.8.18 |
org.springframework.security:spring-security-cryptoMaven | < 5.7.16 | 5.7.16 |
Affected products
29- Range: <= 5.7.15
- osv-coords28 versionspkg:apk/chainguard/camunda-zeebe-8.6pkg:apk/chainguard/camunda-zeebe-8.6-compatpkg:apk/chainguard/jenkins-2.479pkg:apk/chainguard/jenkins-2.479-compatpkg:apk/chainguard/jenkins-2.479-remotingpkg:apk/chainguard/jenkins-2.492pkg:apk/chainguard/keycloak-config-clipkg:apk/chainguard/keycloak-config-cli-bitnami-compatpkg:apk/chainguard/keycloak-config-cli-compatpkg:apk/chainguard/keycloak-config-cli-iamguarded-compatpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/wolfi/jenkins-2.479pkg:apk/wolfi/jenkins-2.479-compatpkg:apk/wolfi/jenkins-2.479-remotingpkg:apk/wolfi/keycloak-config-clipkg:apk/wolfi/keycloak-config-cli-bitnami-compatpkg:apk/wolfi/keycloak-config-cli-compatpkg:apk/wolfi/keycloak-config-cli-iamguarded-compatpkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:maven/org.springframework.security/spring-security-crypto
< 8.6.12-r1+ 27 more
- (no CPE)range: < 8.6.12-r1
- (no CPE)range: < 8.6.12-r1
- (no CPE)range: < 2.479.3-r1
- (no CPE)range: < 2.479.3-r1
- (no CPE)range: < 2.479.3-r1
- (no CPE)range: < 2.492.2-r1
- (no CPE)range: < 6.4.0-r3
- (no CPE)range: < 6.4.0-r3
- (no CPE)range: < 6.4.0-r3
- (no CPE)range: < 6.4.0-r3
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: < 2.479.3-r1
- (no CPE)range: < 2.479.3-r1
- (no CPE)range: < 2.479.3-r1
- (no CPE)range: < 6.4.0-r3
- (no CPE)range: < 6.4.0-r3
- (no CPE)range: < 6.4.0-r3
- (no CPE)range: < 6.4.0-r3
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: < 3.9.1-r2
- (no CPE)range: >= 6.3.0, < 6.3.8
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-mg83-c7gq-rv5cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-22228ghsaADVISORY
- github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3ghsaWEB
- security.netapp.com/advisory/ntap-20250425-0009ghsaWEB
- spring.io/security/cve-2025-22228nvdWEB
- security.netapp.com/advisory/ntap-20250425-0009/nvd
News mentions
0No linked articles in our index yet.