Security Concern: JPasswordField Revealing Passwords in Memory
Sruthy Jayan
srutjay1 at in.ibm.com
Wed Jun 4 05:42:01 UTC 2025
Hi Team ,
We are encountering a potential security issue with JPasswordField in the latest version of OpenJDK. While the issue is not present in OpenJ9 version 0.40.0, it becomes reproducible in version 0.41.0. Specifically, after typing or pasting a password into the field, memory inspection tools can reveal the password in plain text—even before the password is submitted or any action is triggered.
This behaviour is reproducible and raises concerns about sensitive data being exposed unintentionally.
We have attached a detailed document ( [https://res.public.onecdn.static.microsoft/assets/mail/file-icon/png/docx_16x16.png] ClearPasswordInMemoryIssue 1.docx<https://ibm-my.sharepoint.com/:w:/p/srutjay1_in/ETwf5z9omRlAoetv7snbnFcBrHxJwGXJpeDcvSv7Svp7Rw>) outlining the issue, steps to reproduce, and our observations.
Could someone from the community assist us in investigating or addressing this issue? Please let us know if any additional information is needed.
Thank you for your time and support.
Best Regards,
Sruthy Jayan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/client-libs-dev/attachments/20250604/caf67593/attachment.htm>
More information about the client-libs-dev
mailing list