PT-2025-35774 · Vmware · Spring Security
Kuzmany
+2
·
Published
2025-09-03
·
Updated
2025-09-03
·
CVE-2025-9824
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
versions prior to the patched version
Description
The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. The issue was caused by different response times when a valid username was provided (password hashing occurred) and when an invalid username was provided (no password hashing occurred). The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing.
Recommendations
Upgrade to the patched version.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spring Security