SB2025031966 - Multiple vulnerabilities in Spring Security

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Security features bypass (CVE-ID: CVE-2025-22228)

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to BCryptPasswordEncoder does not properly enforce maximum password length and will return "true" for passwords larger than 72 characters as long as the first 72 characters are the same. This can be used set weak passwords that can be easily brute-forced.

2) Improper authorization (CVE-ID: CVE-2025-22223)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to an error in @EnableMethodSecurity when locating method security annotations on parameterized types or methods. A remote non-authenticated attacker can bypass authorization process and gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://spring.io/security/cve-2025-22228
• https://spring.io/security/cve-2025-22223
• https://github.com/advisories/GHSA-hh3m-g4qj-4835