A serious vulnerability related to information exposure (CVE-2025-22234) impacts several versions of the spring-security-crypto package.
The flaw enables attackers to determine valid usernames through timing attacks, undermining a key security feature designed to prevent user enumeration.The vulnerability affects Spring Security versions 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, 6.3.8, and 6.4.4. Patches are now available through HeroDevsβ Never-Ending Support (NES) version.
Spring Security, a comprehensive Java security framework widely used in enterprise applications, typically implements timing attack mitigation by performing password checks regardless of whether a username exists.
Spring Security Timing Attack Exposes UsernamesThis prevents attackers from determining valid usernames by measuring response times during login attempts.
βThe irony is that this vulnerability was introduced while fixing another security issue,β said Adrian Chapman, senior security researcher at CyberSafe Analytics.
βThe patch for CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider.β
The technical root cause involves BCrypt password encoding with long passwords. When the password encoder is set to BCrypt and a password exceeding 72 characters is submitted, the encoder now throws an exception instead of following the previous behavior. This change allows attackers to measure differences in response times.
Through careful measurement of response times, attackers can determine which usernames exist in the system.
Valid usernames typically result in longer processing times due to legitimate password checks, while invalid usernames return faster responses.
Once valid usernames are identified, attackers can focus their password guessing or social engineering efforts on known accounts.
The vulnerability, rated as Medium severity, was discovered by Jonas Robl from SAP and published on April 22, 2025.
Risk Factors DetailsAffected Products Spring Security: 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, 6.3.8, 6.4.4Impact Information ExposureExploit Prerequisites Attacker must be able to send authentication requests and measure response times; application must use affected Spring Security version with BCryptPasswordEncoder and DaoAuthenticationProviderCVSS 3.1 Score 6.5 (Medium)
Mitigation StepsOrganizations using affected Spring Security versions should immediately implement one of the following mitigations:
Upgrade to supported versions of Spring Security that contain the fix.Leverage commercial support through HeroDevs for post-EOL security support.The vulnerability has been addressed by reverting to the previous behavior that ensured consistent timing regardless of username validity.
The fix is available in NES for Spring Security v5.7.18 and v5.8.21, re-establishing the critical timing attack mitigation that maintains authentication security integrity.