A timing attack vulnerability (CVE-2025-22234) in the spring-security-crypto package has exposed valid usernames to remote attackers without direct data theft. The flaw was introduced when a patch for an earlier issue altered the behavior of BCryptPasswordEncoder on passwords longer than 72 characters. Instead of executing a full password check, the encoder now throws an exception on long inputs, creating observable differences in authentication response times. An attacker able to submit login requests and measure response delays can distinguish between valid and invalid usernames. While no passwords or personal data were directly compromised, this information exposure erodes the confidentiality of user accounts and lowers the barrier for targeted brute-force attacks, social engineering campaigns, and credential stuffing. Organizations relying on the affected versions may see an increase in account takeover attempts, reputational harm, and potential downstream breaches. Patches restoring consistent timing semantics are available in HeroDevs’ Never-Ending Support (NES) releases for Spring Security 5.7.18 and 5.8.21.
Source: https://cybersecuritynews.com/spring-security-vulnerability-let-attackers/
"id": "glo739042525",
"linkid": "global-security-pride",
"type": "Vulnerability",
"date": "4/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"