CVE-2025-22234
Timing Attack Vulnerability in DaoAuthenticationProvider Enables User Enumeration
Publication date: 2026-01-22
Last updated on: 2026-01-22
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spring | security | 5.7.16 |
| spring | security | 5.8.18 |
| spring | security | 6.0.16 |
| spring | security | 6.1.14 |
| spring | security | 6.2.10 |
| spring | security | 6.3.8 |
| spring | security | 6.4.4 |
| spring | security | 5.7.17 |
| spring | security | 5.8.19 |
| spring | security | 6.0.17 |
| spring | security | 6.1.15 |
| spring | security | 6.2.11 |
| spring | security | 6.3.9 |
| spring | security | 6.4.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Spring Security's BCryptPasswordEncoder breaks the timing attack mitigation implemented in DaoAuthenticationProvider. It was introduced inadvertently by a previous fix (CVE-2025-22228). Because of this, attackers can infer valid usernames or other authentication behavior by measuring response-time differences under certain configurations. [1]
How can this vulnerability impact me? :
The vulnerability allows attackers to perform timing attacks to infer valid usernames or authentication behavior, potentially exposing confidential information. This can lead to unauthorized information disclosure without affecting system integrity or availability. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Spring Security versions to the fixed releases: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 depending on your current version. Some fixes are available only under Enterprise Support, while others are available as Open Source Software. Applying these updates will address the timing attack mitigation issue introduced by the previous fix. [1]