{"id":3528,"date":"2025-04-25T10:04:16","date_gmt":"2025-04-25T10:04:16","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/04\/25\/spring-security-vulnerability-let-attackers-determine-which-usernames-are-valid\/"},"modified":"2025-04-25T10:04:16","modified_gmt":"2025-04-25T10:04:16","slug":"spring-security-vulnerability-let-attackers-determine-which-usernames-are-valid","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/04\/25\/spring-security-vulnerability-let-attackers-determine-which-usernames-are-valid\/","title":{"rendered":"Spring Security Vulnerability Let Attackers Determine Which Usernames are Valid"},"content":{"rendered":"

Spring Security Vulnerability Let Attackers Determine Which Usernames are Valid
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A serious vulnerability related to information exposure (CVE-2025-22234) impacts several versions of the spring-security-crypto package.<\/p>\n

The flaw enables attackers to determine valid usernames through timing attacks, undermining a key security<\/a> feature designed to prevent user enumeration.\u00a0<\/p>\n

The vulnerability affects Spring Security versions 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, 6.3.8, and 6.4.4. Patches are now available<\/a> through HeroDevs\u2019 Never-Ending Support (NES) version.<\/p>\n

Spring Security, a comprehensive Java security framework widely used in enterprise applications, typically implements timing attack mitigation by performing password checks regardless of whether a username exists.\u00a0<\/p>\n

Spring Security Timing Attack Exposes Usernames<\/strong><\/h2>\n

This prevents attackers from determining valid usernames by measuring response times during login attempts.<\/p>\n

\u201cThe irony is that this vulnerability was introduced while fixing another security issue,\u201d said Adrian Chapman, senior security researcher at CyberSafe Analytics.\u00a0<\/p>\n

\u201cThe patch for CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider.\u201d<\/p>\n

The technical root cause involves BCrypt<\/a> password encoding with long passwords. When the password encoder is set to BCrypt and a password exceeding 72 characters is submitted, the encoder now throws an exception instead of following the previous behavior. This change allows attackers to measure differences in response times.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

Through careful measurement of response times, attackers can determine which usernames exist in the system.\u00a0<\/p>\n

Valid usernames typically result in longer processing times due to legitimate password checks, while invalid usernames return faster responses.<\/p>\n

Once valid usernames are identified, attackers can focus their password guessing or social engineering<\/a> efforts on known accounts.<\/p>\n

The vulnerability, rated as Medium severity, was discovered by Jonas Robl from SAP and published on April 22, 2025.\u00a0<\/p>\n

\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\nSpring Security: 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, 6.3.8, 6.4.4<\/td>\n<\/tr>\n
Impact<\/td>\nInformation Exposure<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\nAttacker must be able to send authentication requests and measure response times; application must use affected Spring Security version with BCryptPasswordEncoder and DaoAuthenticationProvider<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n6.5 (Medium)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Mitigation Steps<\/strong><\/h2>\n

Organizations using affected Spring Security versions should immediately implement one of the following mitigations:<\/p>\n