SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22228

CVE-2025-22228: BCryptPasswordEncoder Auth Bypass Flaw

CVE-2025-22228 is an authentication bypass vulnerability in BCryptPasswordEncoder that incorrectly validates passwords over 72 characters. This article covers the technical details, security implications, and recommended fixes.

Updated:

CVE-2025-22228 Overview

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

Critical Impact

This vulnerability in BCryptPasswordEncoder allows unauthorized access by improperly validating passwords longer than 72 characters.

Affected Products

  • Not Available
  • Not Available
  • Not Available

Discovery Timeline

  • 2025-03-20T06:15:23.087 - CVE CVE-2025-22228 published to NVD
  • 2025-04-25T23:15:16.877 - Last updated in NVD database

Technical Details for CVE-2025-22228

Vulnerability Analysis

The issue exists within the BCryptPasswordEncoder of the Spring framework, where the matches function fails to correctly compare passwords that exceed 72 characters. This defect allows an attacker to bypass authentication mechanisms if only the first 72 characters of the password match the valid credentials.

Root Cause

The root cause lies in BCrypt's handling, which only considers the first 72 characters of a string for hashing. Beyond this, characters do not influence the hash, enabling unauthorized access if excess length is mismanaged.

Attack Vector

Network-based exploits can be attempted where attackers submit passwords extending beyond 72 characters, focusing only on compromising the initial segment.

java
// Example exploitation scenario
String longPassword = "validPasswordUpTo72Characters" + "excessCharactersForBypass";
boolean isMatch = passwordEncoder.matches(longPassword, encodedPassword);
System.out.println("Password match: " + isMatch); // Returns true if first 72 characters are correct

Detection Methods for CVE-2025-22228

Indicators of Compromise

  • Unexpected successful logins with long passwords
  • Log entries showing unusually long password inputs
  • Failed logins followed by successful attempts using extended passwords

Detection Strategies

Adopt logging and monitoring for authentication mechanisms to capture and flag attempts where passwords exceed the typical expected length, especially focusing on match results.

Monitoring Recommendations

Implement monitoring for authentication events, and set alerts for anomalous login attempts involving passwords longer than 72 characters.

How to Mitigate CVE-2025-22228

Immediate Actions Required

  • Update BCrypt dependencies to patched versions
  • Implement input validation to reject passwords longer than 72 characters
  • Review authentication logs for irregularities

Patch Information

No specific patch details are available. Refer to vendor advisory: Spring Advisory.

Workarounds

Apply input validation to ensure passwords do not exceed 72 characters before processing.

java
// Configuration example for input validation
public class PasswordValidator {
    public static boolean isValid(String password) {
        return password != null && password.length() <= 72;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne