Severity: Low2025-12-19
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
The Oxygen products incorporate Spring Security (spring-security-crypto) as a third-party library. This advisory was opened to address the potential impact of this third-party library’s vulnerability.
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v8.0 and older | None | Oxygen Content Fusion 8.1 build 2025042315 |
| Oxygen Feedback v5.1 and older | Low | Oxygen Feedback 5.2 build 2025042516 |
CVE-2025-22228
Severity: High
CVSS Score: 7.4
Spring Security’s BCryptPasswordEncoder may incorrectly return true when validating passwords longer than 72 characters if the first 72 characters are identical. This weakens password verification for affected code paths that both use BCryptPasswordEncoder and allow passwords exceeding 72 characters. The issue resides in the spring-security-crypto component.
Starting with Oxygen Content Fusion version 8.1 build 2025042315 we updated dependencies to include a non-vulnerable version.
Starting with Oxygen Feedback version 5.2 build 2025042516 we updated dependencies to include a non-vulnerable version.
This website was created & generated with <oXygen/>®XML Editor
