Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreThe fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider.
Spring Security:
| Fix version | Availability |
|---|---|
| 6.4.5 | OSS |
| 6.3.9 | OSS |
| 6.2.11 | Enterprise Support Only |
| 6.1.15 | Enterprise Support Only |
| 6.0.17 | Enterprise Support Only |
| 5.8.19 | Enterprise Support Only |
| 5.7.17 | Enterprise Support Only |
No further mitigation steps are necessary.
The issue was identified and responsibly reported by Jonas Robl ([email protected]).
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy