CVE-2025-22234 | THREATINT

Description

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

PUBLISHED Reserved 2025-01-02 | Published 2026-01-22 | Updated 2026-01-22 | Assigner vmware

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-208 Timing Descrepency

Product status

Default status

affected

5.7.16 (semver)

affected

5.8.18 (semver)

affected

6.0.16 (semver)

affected

6.1.14 (semver)

affected

6.2.10 (semver)

affected

6.3.8 (semver)

affected

6.4.4 (semver)

affected

Credits

Jonas Robl reporter

References

spring.io/security/cve-2025-22234/ (Spring Security Advisory: CVE-2025-22234) vendor-advisory

cve.org (CVE-2025-22234)

nvd.nist.gov (CVE-2025-22234)

Download JSON