Description
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected products
- Spring / Spring Security5.7.16 – 5.7.16
- Spring / Spring Security5.8.18 – 5.8.18
- Spring / Spring Security6.0.16 – 6.0.16
- Spring / Spring Security6.1.14 – 6.1.14
- Spring / Spring Security6.2.10 – 6.2.10
- Spring / Spring Security6.3.8 – 6.3.8
- Spring / Spring Security6.4.4 – 6.4.4