DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-22234: The 73rd Byte: How a Spring Security Fix Created a Timing Leak

#security #cve #cybersecurity

The 73rd Byte: How a Spring Security Fix Created a Timing Leak

Vulnerability ID: CVE-2025-22234
CVSS Score: 5.3
Published: 2026-01-22

A medium-severity timing attack vulnerability in Spring Security's DaoAuthenticationProvider. An improperly implemented length check for BCrypt passwords allowed attackers to bypass timing mitigations and enumerate usernames by analyzing response times.

TL;DR

Spring Security tried to fix a password truncation issue (CVE-2025-22228) by banning passwords longer than 72 bytes. However, they enforced this check too early in the authentication flow. By sending a 73+ byte password, attackers could trigger an immediate exception for non-existent users (bypassing the 'dummy' hash), while existing users took longer to process. This timing discrepancy allowed for reliable username enumeration.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-208
  • Attack Vector: Network
  • CVSS: 5.3 (Medium)
  • Impact: Information Disclosure (Username Enumeration)
  • Exploit Status: PoC Available
  • Root Cause: Exception thrown before constant-time operation

Affected Systems

  • Spring Security 6.4.4
  • Spring Security 6.3.8
  • Spring Security 6.2.10
  • Spring Security 6.1.14
  • Spring Security 6.0.16
  • Spring Security 5.8.18
  • Spring Security 5.7.16
  • Spring Security: 6.4.4 (Fixed in: 6.4.5)
  • Spring Security: 6.3.8 (Fixed in: 6.3.9)
  • Spring Security: 5.8.18 (Fixed in: 5.8.19)

Code Analysis

Commit: b478716

Ensure BCryptPasswordEncoder checks length only on encode

if (!for_check && passwordb.length > 72) { ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Proof of concept discussed in issue tracker

Mitigation Strategies

  • Upgrade Spring Security to the latest patch release immediately.
  • Implement generic rate limiting on login endpoints to make enumeration tedious even if timing leaks exist.
  • Monitor for high rates of 500 Internal Server Errors or specific IllegalArgumentExceptions on login endpoints, which might indicate an active exploitation attempt.

Remediation Steps:

  1. Identify the Spring Security version in use via pom.xml or build.gradle.
  2. Update to the fixed version corresponding to your release line (e.g., 6.4.4 -> 6.4.5, 6.3.8 -> 6.3.9).
  3. Verify the fix by running the provided timing attack PoC against a staging environment.

References

Read the full report for CVE-2025-22234 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)