Spring Security BCryptPasswordEncoder 超长密码处理漏洞(CVE-2025-22228)分析文档<\/h1>

漏洞概述<\/h2>
漏洞编号<\/strong>: CVE-2025-22228
危害等级<\/strong>: 中危
影响组件<\/strong>: org.springframework.security:spring-security-crypto
影响版本<\/strong>: Spring Security < 6.4.4<\/p>
漏洞描述<\/strong>:
Spring Security 的 BCryptPasswordEncoder 在校验经过 BCrypt 加密后的密码时未对输入密码长度做校验。当攻击者提供的前72个字符与正确密码的前72个字符相同时，系统会错误地认为密码正确，导致攻击者可利用该漏洞绕过身份验证，进行提权或窃取系统敏感信息。<\/p>

漏洞复现<\/h2>
环境准备<\/h3>

下载存在漏洞版本的 spring-security-crypto jar 包，例如 5.8.0 版本：<\/p>
https:\/\/repo.maven.apache.org\/maven2\/org\/springframework\/security\/spring-security-crypto\/5.8.0\/spring-security-crypto-5.8.0.jar <\/code><\/pre> <\/li> 创建测试类，避免使用 Spring Boot 完整框架以减少复杂度：<\/p> <\/li> <\/ol> import<\/span> org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Test<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> BCryptPasswordEncoder encoder =<\/span> new<\/span> BCryptPasswordEncoder();<\/span> <\/span><\/span> String password =<\/span> "a"<\/span>.<\/span>repeat<\/span>(<\/span>72<\/span>)<\/span> +<\/span> "b"<\/span>;<\/span> \/\/ 72个a加1个b <\/span><\/span><\/span><\/span> String encodedPassword =<\/span> encoder.<\/span>encode<\/span>(<\/span>"a"<\/span>.<\/span>repeat<\/span>(<\/span>72<\/span>)<\/span> +<\/span> "c"<\/span>);<\/span> \/\/ 72个a加1个c <\/span><\/span><\/span><\/span> <\/span><\/span> boolean<\/span> result =<\/span> encoder.<\/span>matches<\/span>(<\/span>password,<\/span> encodedPassword);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"验证结果: "<\/span> +<\/span> result);<\/span> \/\/ 将输出true <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>复现结果<\/h3> 当输入密码的前72个字符与存储密码的前72个字符相同时，即使后续字符不同，验证结果也会返回true<\/code>，证明漏洞存在。<\/p> BCrypt 算法背景<\/h2> BCrypt 是一种广泛使用的密码哈希算法，主要特点：<\/p> 计算慢<\/strong>：通过调整工作因子(cost)控制哈希计算复杂度，增加暴力破解难度<\/li> 抗彩虹表<\/strong>：每次哈希都会生成不同的salt，即使相同密码也会产生不同哈希值<\/li> 内置salt<\/strong>：salt存储在哈希结果中，格式为：$2a$[cost]$[22字符salt][31字符hash]<\/code><\/li> <\/ol> 漏洞分析<\/h2> 关键调用链<\/h3> BCryptPasswordEncoder.matches(CharSequence rawPassword, String encodedPassword)<\/code><\/li> BCrypt.checkpw(rawPassword.toString(), encodedPassword)<\/code><\/li> BCrypt.hashpw(password, salt)<\/code><\/li> BCrypt.ekskey(salt, password)<\/code><\/li> BCrypt.streamtoword(byte[] data, int[] offp)<\/code><\/li> <\/ol> 漏洞根源<\/h3> 在 BCrypt.ekskey()<\/code> 方法中，密码被处理为72字节的块：<\/p> streamtoword<\/code> 方法每次处理4字节，共处理18次(4×18=72)<\/li> 当密码长度超过72字节时，超出部分被忽略<\/li> 因此只要前72字节匹配，后续内容不影响验证结果<\/li> <\/ol> 动态调试发现<\/h3> plen<\/code> 参数值为16，koffp<\/code> 参数值为4<\/li> 循环处理时，off<\/code> 值最终为68<\/li> 在 streamtoword<\/code> 方法中完成最后4字节处理，总计72字节<\/li> <\/ol> 官方修复<\/h2> Spring Security 6.4.4 版本修复方式：<\/p> if<\/span> (<\/span>password.<\/span>length<\/span> >=<\/span> 72<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> IllegalArgumentException(<\/span>"Password too long"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>在密码长度超过72字节时直接抛出异常，避免截断导致的验证问题。<\/p> 安全建议<\/h2> 升级 Spring Security 到 6.4.4 或更高版本<\/li> 如果无法立即升级，可自定义 BCryptPasswordEncoder 实现，添加长度检查<\/li> 密码策略应限制用户密码长度在合理范围内<\/li> <\/ol> 扩展思考<\/h2> 此漏洞模式可作为测试用例，适用于所有使用 BCrypt 的场景：<\/p> 检查 BCrypt 实现是否对输入密码长度进行验证<\/li> 验证超长密码是否会导致意外行为<\/li> 如果没有长度检查或异常处理，可能存在类似漏洞<\/li> <\/ol> 参考<\/h2> Spring Security 官方文档<\/li> BCrypt 算法规范<\/li> CVE-2025-22228 漏洞公告<\/li> <\/ol>