Volerion logoVolerion
Volerion logoVolerion

Spring Security Timing Attack Vulnerability in DaoAuthenticationProvider

Vulnerability

A vulnerability exists in Spring Security versions 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, 6.3.8, and 6.4.4, as well as older unsupported versions. The issue arises because a fix for a different vulnerability (CVE-2025-22228) unintentionally disrupted the timing attack mitigation in DaoAuthenticationProvider. This disruption could allow attackers to deduce valid usernames or other authentication-related behaviors by exploiting differences in response times, under certain configurations.

Impact

Exploitation of this vulnerability could lead to a timing attack, allowing attackers to infer valid usernames or authentication behaviors based on response time variations.

Remediation

Users of affected versions should upgrade to the corresponding fixed version. For versions 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, the fixed versions are available through VMware Enterprise Support. For versions 6.3.8 and 6.4.4, the fixed versions are available as open-source.

Added: Jan 22, 2026, 9:22 PM
Updated: Jan 22, 2026, 9:22 PM

Vulnerability Rating

Custom Algorithm
spread
6.6
impact
0.6
exploitability
4.7
remediation
7.7
relevance
2.3
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.