CVE-2025-22234
Unknown Unknown - Not Provided
Timing Attack Vulnerability in DaoAuthenticationProvider Enables User Enumeration

Publication date: 2026-01-22

Last updated on: 2026-01-22

Assigner: VMware

Description
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-22
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-22234
EUVD
EUVD-2026-3787
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
spring security 5.7.16
spring security 5.8.18
spring security 6.0.16
spring security 6.1.14
spring security 6.2.10
spring security 6.3.8
spring security 6.4.4
spring security 5.7.17
spring security 5.8.19
spring security 6.0.17
spring security 6.1.15
spring security 6.2.11
spring security 6.3.9
spring security 6.4.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Spring Security's BCryptPasswordEncoder breaks the timing attack mitigation implemented in DaoAuthenticationProvider. It was introduced inadvertently by a previous fix (CVE-2025-22228). Because of this, attackers can infer valid usernames or other authentication behavior by measuring response-time differences under certain configurations. [1]

Impact Analysis

The vulnerability allows attackers to perform timing attacks to infer valid usernames or authentication behavior, potentially exposing confidential information. This can lead to unauthorized information disclosure without affecting system integrity or availability. [1]

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Spring Security versions to the fixed releases: 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, or 6.4.5 depending on your current version. Some fixes are available only under Enterprise Support, while others are available as Open Source Software. Applying these updates will address the timing attack mitigation issue introduced by the previous fix. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-22234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart