Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

GHSA-vqxh-445g-37fc · CVE-2025-22234

Published Jan 22, 2026 · Modified Feb 3, 2026

Description

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-22234
PACKAGE https://github.com/spring-projects/spring-security
WEB https://spring.io/security/cve-2025-22234

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes