UAA User creation fails with "password cannot be more than 72 bytes"

search cancel

UAA User creation fails with "password cannot be more than 72 bytes"

book

Article ID: 419358

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

When attempting to create a UAAC user in Tanzu Platform for Cloud Foundry/Elastic Application Runtime, it fails with the error:

error response:
{
  "error_description": "password cannot be more than 72 bytes",
  "error": "scim",
  "message": "password cannot be more than 72 bytes"
}

Environment

TPCF 6.0.21

TPCF 10.2.0+

TPCF 10.3.0+

Cause

This is a result of the fix for CVE-2025-22228. Before this, passwords of >72 bytes could be created for UAA users/clients. However, BCryptPasswordEncoder, which UAA uses, has a limit of 72 Bytes when checking the password. As a result, when entering a password >72 bytes, only the first 72 bytes were validated.

The above link has the Spring Security releases with this fix. The TAS releases mentioned above contain UAA releases with this Spring Security Version.

Resolution

This is UAA/Spring security now enforcing the limit of 72 bytes that BCrypt uses. You will need to create a password of <72 bytes so as not to be hitting this limit.

An Issue has been opened on the UAA Github to look at increasing the byte limit for BCrypt. If this is changed in future, this article will be updated.

https://github.com/cloudfoundry/uaa/issues/3333

Feedback

thumb_up Yes

thumb_down No