All intelligence
// vulnerability record
live · NVDCVE-2025-22228
HIGHpublished 2025-03-20 06:15 UTC · 1 year ago · modified 2026-06-17 08:45 UTC
7.4
CVSS / 10
// description
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
// weaknesses (CWE)
- CWE-287