Spring, a widely used framework for Java-based applications, has disclosed two significant security vulnerabilities that could lead to authorization bypass and weak password enforcement. The vulnerabilities, tracked as CVE-2025-22223 and CVE-2025-22228, impact multiple versions of Spring Security and require immediate action from developers to mitigate the risks.
CVE-2025-22223: Authorization Bypass in Method Security Annotations
Spring Security’s method-level security provides fine-grained access control, but a flaw in its implementation may allow unauthorized users to invoke restricted methods under certain conditions. According to the advisory: “Spring Security may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.”
The vulnerability specifically affects applications that meet the following criteria:
- Using
@EnableMethodSecurityto enforce method security. - Defining method security annotations on parameterized types, interfaces, or overridden methods but not directly on the target method.
If an application matches these conditions, attackers may be able to invoke restricted methods without proper authorization. However, developers can mitigate this issue by ensuring that “all method security annotations are attached to target methods” or by upgrading to Spring Security 6.4.4, which contains the fix.
CVE-2025-22228: Weak Password Enforcement in BCryptPasswordEncoder
The second vulnerability, CVE-2025-22228, impacts BCryptPasswordEncoder, a common password hashing function in Spring Security. The issue allows authentication to succeed for passwords exceeding 72 characters, as long as the first 72 characters match the expected password.
As the advisory explains: “BCryptPasswordEncoder.matches(CharSequence, String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.”
This behavior can introduce security risks by enabling password truncation attacks, where an attacker may exploit different password lengths to bypass authentication.
Affected Versions and Mitigation Steps
The vulnerabilities impact multiple versions of Spring Security, including:
- Spring Security 6.4.0 – 6.4.3 (CVE-2025-22223)
- Spring Security 5.7.0 – 6.4.3 (CVE-2025-22228)
To mitigate these vulnerabilities, Spring advises developers to upgrade to the patched versions:
- 6.4.4 (for OSS users)
- Enterprise support patches for older versions
If upgrading is not feasible, developers can take the following steps:
- For CVE-2025-22223: Ensure security annotations are explicitly placed on the target method instead of relying on inherited or parameterized types.
- For CVE-2025-22228: Enforce password length policies at the application level to reject passwords exceeding 72 characters.
