Observable Timing Discrepancy

CVE-2025-22234

Medium

5.3/10

Summary

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in "DaoAuthenticationProvider" for Spring Security. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. This affects versions 6.3.8 and 6.4.4.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-208 - Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

Advisory
Advisory
Issue

Advisory Timeline

Published Jan 22, 2026

Observable Timing Discrepancy

CVE-2025-22234

Summary

CWE-208 - Observable Timing Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS