A security audit at our company found that the prefix of our bcrypt hashes are "$2a$". According to  and  this could indicate that an older, vulnerable bcrypt implementation is used.
So - here my questions:
- Does Spring Security's bcrypt implementation contain the vulnerability?
- Does Spring Security support the "$2x$" and "$2y$" prefixes?
- The links you provide is about a vulnerability in the C implementation of BCrypt. The Spring Security implementation is a fork of jBCrypt, which is a different implementation written in Java.
- Looking at the source code, as of version 3.2.5, Spring Security doesn't support "$2x$" and "$2y$" prefixes. The implementation does not contain the C vulnerability but it is not inter-operable with current C based implementation (like PHP).