Spring Product Security Update Advisory (CVE-2025-22228)

Mar 24 2025

Overview

We have released security updates to fix vulnerabilities in Spring products. Users of affected products are advised to update to the latest version.

Affected Products

CVE-2025-22228

Spring Security versions: 5.7.0 through 5.7.15 (inclusive)
Spring Security versions: 5.8.0 through 5.8.17 (inclusive)
Spring Security versions: 6.0.0 through 6.0.15 (inclusive)
Spring Security versions: 6.1.0 through 6.1.13 (inclusive)
Spring Security versions: 6.2.0 through 6.2.9 (inclusive)
Spring Security versions: 6.3.0 through 6.3.7 (inclusive)
Spring Security versions: 6.4.0 through 6.4.3 (inclusive)

Resolved Vulnerabilities

True is returned for passwords longer than 72 characters (CVE-2025-22228)

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2025-22228

Spring Security version: 5.7.16
Spring Security version: 5.8.18
Spring Security version: 6.0.16
Spring Security version: 6.1.14
Spring Security version: 6.2.10
Spring Security version: 6.3.8
Spring Security version: 6.4.4

References

[1] CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length
https://spring.io/security/cve-2025-22228

Spring Product Security Update Advisory (CVE-2025-22228)

Adobe Product Suite March 2025 Routine Security Update Advisory

Google Chrome Browser (134.0.6998.117/.118) Security Update Advisory

Tags:

Adobe Product Suite March 2025 Routine Security Update Advisory

Google Chrome Browser (134.0.6998.117/.118) Security Update Advisory