CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length
Description
BCryptPasswordEncoder.matches(CharSequence,String)
will incorrectly return true
for passwords larger than 72 characters as long as the first 72 characters are the same.
Affected Spring Products and Versions
Spring Security:
- 5.7.0 - 5.7.15
- 5.8.0 - 5.8.17
- 6.0.0 - 6.0.15
- 6.1.0 - 6.1.13
- 6.2.0 - 6.2.9
- 6.3.0 - 6.3.7
- 6.4.0 - 6.4.3
- Older, unsupported versions are also affected …