Skip to content

HaveIBeenPwnedRestApiPasswordChecker implementations are not thread-safe #18234

New issue
New issue
Open
#18235
Open
HaveIBeenPwnedRestApiPasswordChecker implementations are not thread-safe#18234
#18235
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug
@garvit-joshi

Description

@garvit-joshi
garvit-joshi
opened on Nov 29, 2025

HaveIBeenPwnedRestApiPasswordChecker stores a single MessageDigest instance as a field and reuses it across all invocations of check(). Since MessageDigest is not thread-safe, concurrent calls can produce incorrect hash values.

To Reproduce

  1. Register HaveIBeenPwnedRestApiPasswordChecker as a singleton bean
  2. Call check() concurrently from multiple threads
  3. Hash computation becomes unreliable due to shared mutable state in MessageDigest

Expected behavior

The checker should produce correct results under concurrent access. A new MessageDigest instance should be created per invocation instead of reusing a shared instance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions