Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The vulnerability affects Spring Security versions 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, 6.3.8, and 6.4.4. Patches are now available through HeroDevs’ Never-Ending Support (NES) version. “The irony is that this vulnerability was introduced while fixing another security issue,” said Adrian Chapman, senior security researcher at CyberSafe Analytics. As the security landscape changes, maintaining vigilance and promptly addressing vulnerabilities like CVE-2025-22234 is crucial for safeguarding sensitive user information and preserving trust in enterprise applications. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. The fix is available in NES for Spring Security v5.7.18 and v5.8.21, re-establishing the critical timing attack mitigation that maintains authentication security integrity. Once valid usernames are identified, attackers can focus their password guessing or social engineering efforts on known accounts. She is covering various cyber security incidents happening in the Cyber Space. Valid usernames typically result in longer processing times due to legitimate password checks, while invalid usernames return faster responses. The vulnerability has been addressed by reverting to the previous behavior that ensured consistent timing regardless of username validity. When the password encoder is set to BCrypt and a password exceeding 72 characters is submitted, the encoder now throws an exception instead of following the previous behavior. A serious vulnerability related to information exposure (CVE-2025-22234) impacts several versions of the spring-security-crypto package. This prevents attackers from determining valid usernames by measuring response times during login attempts.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Apr 2025 09:35:06 +0000