Security Concern: JPasswordField Revealing Passwords in Memory

Jeremy Wood mickleness at gmail.com
Fri Jun 6 01:14:18 UTC 2025 

Should this be written up at https://bugreport.java.com/bugreport/ , or 
does it deserve special treatment as a security vulnerability (and if 
so, what is that protocol)?

I was unable to review the document without an ibm account, so I can’t 
comment further on the problem or any potential resolution(s).

Sruthy: if you are an Oracle customer or partner there may be other 
faster channels 
<https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html> 
to discuss this.

Regards,
  - Jeremy


------ Original Message ------
>From "Sruthy Jayan" <srutjay1 at in.ibm.com>
To "client-libs-dev at openjdk.org" <client-libs-dev at openjdk.org>
Cc "Swathi Kalahastri" <swkalaha at in.ibm.com>; "Syed Moinudeen" 
<smoinud1 at in.ibm.com>
Date 6/4/2025 1:42:01 AM
Subject Security Concern: JPasswordField Revealing Passwords in Memory

>Hi Team ,
>
>We are encountering a potential security issue with JPasswordField in 
>the latest version of OpenJDK. While the issue is not present in OpenJ9 
>version 0.40.0, it becomes reproducible in version 0.41.0. 
>Specifically, after typing or pasting a password into the field, memory 
>inspection tools can reveal the password in plain text—even before the 
>password is submitted or any action is triggered.
>This behaviour is reproducible and raises concerns about sensitive data 
>being exposed unintentionally.
>We have attached a detailed document ( ClearPasswordInMemoryIssue 
>1.docx 
><https://ibm-my.sharepoint.com/:w:/p/srutjay1_in/ETwf5z9omRlAoetv7snbnFcBrHxJwGXJpeDcvSv7Svp7Rw>) 
>outlining the issue, steps to reproduce, and our observations.
>Could someone from the community assist us in investigating or 
>addressing this issue? Please let us know if any additional information 
>is needed.
>Thank you for your time and support.
>Best Regards,
>Sruthy Jayan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/client-libs-dev/attachments/20250606/15b4cca1/attachment.htm>

More information about the client-libs-dev mailing list