A timing attack vulnerability (CVE-2025-22234) in the spring-security-crypto package has exposed valid usernames to remote attackers without direct data theft. The flaw was introduced when a patch for an earlier issue altered the behavior of BCryptPasswordEncoder on passwords longer than 72 characters. Instead of executing a full password check, the encoder now throws an exception on long inputs, creating observable differences in authentication response times. An attacker able to submit login requests and measure response delays can distinguish between valid and invalid usernames. While no passwords or personal data were directly compromised, this information exposure erodes the confidentiality of user accounts and lowers the barrier for targeted brute-force attacks, social engineering campaigns, and credential stuffing. Organizations relying on the affected versions may see an increase in account takeover attempts, reputational harm, and potential downstream breaches. Patches restoring consistent timing semantics are available in HeroDevs’ Never-Ending Support (NES) releases for Spring Security 5.7.18 and 5.8.21.
Source: https://cybersecuritynews.com/spring-security-vulnerability-let-attackers/
TPRM report: https://scoringcyber.rankiteo.com/company/global-security-pride
"id": "glo739042525",
"linkid": "global-security-pride",
"type": "Vulnerability",
"date": "4/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Software Development',
'name': 'HeroDevs',
'type': 'Organization'}],
'attack_vector': 'Timing Attack',
'description': 'A timing attack vulnerability (CVE-2025-22234) in the '
'spring-security-crypto package has exposed valid usernames to '
'remote attackers without direct data theft. The flaw was '
'introduced when a patch for an earlier issue altered the '
'behavior of BCryptPasswordEncoder on passwords longer than 72 '
'characters. Instead of executing a full password check, the '
'encoder now throws an exception on long inputs, creating '
'observable differences in authentication response times. An '
'attacker able to submit login requests and measure response '
'delays can distinguish between valid and invalid usernames. '
'While no passwords or personal data were directly '
'compromised, this information exposure erodes the '
'confidentiality of user accounts and lowers the barrier for '
'targeted brute-force attacks, social engineering campaigns, '
'and credential stuffing. Organizations relying on the '
'affected versions may see an increase in account takeover '
'attempts, reputational harm, and potential downstream '
'breaches. Patches restoring consistent timing semantics are '
'available in HeroDevs’ Never-Ending Support (NES) releases '
'for Spring Security 5.7.18 and 5.8.21.',
'impact': {'brand_reputation_impact': 'Reputational Harm'},
'motivation': 'Information Exposure',
'post_incident_analysis': {'corrective_actions': 'Patches restoring '
'consistent timing semantics '
'are available in HeroDevs’ '
'Never-Ending Support (NES) '
'releases for Spring '
'Security 5.7.18 and 5.8.21.',
'root_causes': 'The flaw was introduced when a '
'patch for an earlier issue altered '
'the behavior of '
'BCryptPasswordEncoder on passwords '
'longer than 72 characters.'},
'response': {'remediation_measures': 'Patches restoring consistent timing '
'semantics are available in HeroDevs’ '
'Never-Ending Support (NES) releases for '
'Spring Security 5.7.18 and 5.8.21.'},
'title': 'Timing Attack Vulnerability in spring-security-crypto Package',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2025-22234'}