From 943c75d868d48159a4a6771191aba85606238c8d Mon Sep 17 00:00:00 2001
From: "Gerlach, Winfried" <Winfried.Gerlach@draeger.com>
Date: Fri, 12 Jun 2026 19:55:26 +0200
Subject: [PATCH 1/2] #19329 re-introduce fail-fast in IpInetAddressMatcher to
 avoid ArrayIndexOutOfBoundsException

Signed-off-by: Gerlach, Winfried <Winfried.Gerlach@draeger.com>
---
 .../security/util/matcher/IpInetAddressMatcher.java       | 3 +++
 .../security/util/matcher/IpInetAddressMatcherTests.java  | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java b/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java
index 7f7e338ea2e..471d81783d0 100644
--- a/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java
+++ b/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java
@@ -89,6 +89,9 @@ public boolean matches(@Nullable InetAddress toCheck) {
 		if (toCheck == null) {
 			return false;
 		}
+		if (!this.requiredAddress.getClass().equals(toCheck.getClass())) {
+			return false;
+		}
 		if (this.nMaskBits < 0) {
 			return toCheck.equals(this.requiredAddress);
 		}
diff --git a/core/src/test/java/org/springframework/security/util/matcher/IpInetAddressMatcherTests.java b/core/src/test/java/org/springframework/security/util/matcher/IpInetAddressMatcherTests.java
index ecac4658249..e0324bcf4d4 100644
--- a/core/src/test/java/org/springframework/security/util/matcher/IpInetAddressMatcherTests.java
+++ b/core/src/test/java/org/springframework/security/util/matcher/IpInetAddressMatcherTests.java
@@ -105,6 +105,14 @@ void matchesWhenIpv4AndIpv6AddressThenReturnsFalse() throws Exception {
 		assertThat(matcher.matches(InetAddress.getByName("fe80::21f:5bff:fe33:bd68"))).isFalse();
 	}
 
+	// regression test for #19329 "ArrayIndexOutOfBoundsException using IpAddressMatcher"
+	// this test failed with ArrayIndexOutOfBoundsException in Spring Security 7.1.0
+	@Test
+	void matchesWhenIpv4AndIpv6AddressThenFailFast() throws Exception {
+		IpInetAddressMatcher matcher = new IpInetAddressMatcher("::1/128");
+		assertThat(matcher.matches(InetAddress.getByName("0.0.0.0"))).isFalse();
+	}
+
 	@Test
 	void matchesWhenIpv6AndIpv4AddressThenReturnsFalse() throws Exception {
 		IpInetAddressMatcher matcher = new IpInetAddressMatcher("fe80::21f:5bff:fe33:bd68");

From 0943cb15b69f4ebec84ad20128f0ff566f44d829 Mon Sep 17 00:00:00 2001
From: "Gerlach, Winfried" <Winfried.Gerlach@draeger.com>
Date: Fri, 12 Jun 2026 19:55:54 +0200
Subject: [PATCH 2/2] remove unused private method

Signed-off-by: Gerlach, Winfried <Winfried.Gerlach@draeger.com>
---
 .../util/matcher/IpInetAddressMatcher.java        | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java b/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java
index 471d81783d0..1da433e6dd7 100644
--- a/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java
+++ b/core/src/main/java/org/springframework/security/util/matcher/IpInetAddressMatcher.java
@@ -17,7 +17,6 @@
 package org.springframework.security.util.matcher;
 
 import java.net.InetAddress;
-import java.net.UnknownHostException;
 import java.util.Objects;
 
 import org.apache.commons.logging.Log;
@@ -70,20 +69,6 @@ final class IpInetAddressMatcher implements InetAddressMatcher {
 			.format("IP address %s is too short for bitmask of length %d", requiredAddress, this.nMaskBits));
 	}
 
-	private static InetAddress parse(String address) {
-		try {
-			InetAddress result = InetAddress.getByName(address);
-			if (address.matches(".*[a-zA-Z\\-].*$") && !address.contains(":")) {
-				logger.warn("Hostname '" + address + "' resolved to " + result.toString()
-						+ " will be used on IP address matching");
-			}
-			return result;
-		}
-		catch (UnknownHostException ex) {
-			throw new IllegalArgumentException(String.format("Failed to parse address '%s'", address), ex);
-		}
-	}
-
 	@Override
 	public boolean matches(@Nullable InetAddress toCheck) {
 		if (toCheck == null) {