Cyber Resilience

CVE-2025-22228

High

Published: 20 March 2025

Published
20 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0006 20.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22228 is a high-severity Improper Authentication (CWE-287) vulnerability in Spring (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-22228 is a vulnerability in the BCryptPasswordEncoder.matches(CharSequence, String) method within Spring Security, where the function incorrectly returns true for passwords longer than 72 characters if the first 72 characters match the stored hash. This flaw, classified under CWE-287 (Improper Authentication), affects applications using this password encoder for authentication. It was published on 2025-03-20 with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to potential impacts on confidentiality and integrity.

Remote unauthenticated attackers (PR:N) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H). By submitting a crafted password that matches only the first 72 characters of the legitimate password, an attacker can bypass authentication checks, gaining unauthorized access to protected resources and potentially leading to high confidentiality and integrity impacts without affecting availability.

Mitigation guidance is provided in the official Spring Security advisory at https://spring.io/security/cve-2025-22228 and a related NetApp advisory at https://security.netapp.com/advisory/ntap-20250425-0009/. Security practitioners should consult these for patching instructions, upgrade recommendations, or workarounds specific to affected Spring versions and dependent products.

EU & UK References

Vulnerability details

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote authentication bypass in Spring Security's password encoder used by public-facing applications, directly enabling exploitation of public-facing applications for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-1203Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2025-43995Shared CWE-287
CVE-2026-7876Shared CWE-287
CVE-2025-0637Shared CWE-287
CVE-2025-61882Shared CWE-287
CVE-2026-0589Shared CWE-287

Affected Assets

Spring
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flawed BCryptPasswordEncoder.matches logic by identifying, patching, or upgrading affected Spring Security versions per vendor advisory to prevent authentication bypass.

prevent

Ensures proper management and verification of password authenticators, including length restrictions and correct usage, mitigating improper authentication in the encoder.

prevent

Validates password inputs for length and format restrictions, preventing submission of crafted passwords longer than 72 characters that exploit the matching flaw.

References