CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.