diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
index bdc4638916..cce8c11c9c 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
@@ -780,6 +780,10 @@ public class BCrypt {
 		// Extract number of rounds
 		if (salt.charAt(off + 2) > '$')
 			throw new IllegalArgumentException ("Missing salt rounds");
+
+		if (off == 4 && saltLength < 29) {
+			throw new IllegalArgumentException("Invalid salt");
+		}
 		rounds = Integer.parseInt(salt.substring(off, off + 2));
 
 		real_salt = salt.substring(off + 3, off + 25);
diff --git a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java
index 1ffb9babfe..3447502de3 100644
--- a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java
+++ b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java
@@ -338,6 +338,11 @@ public class BCryptTests {
 				"$2$05$......................bvpG2UfzdyW/S0ny/4YyEZrmczoJfVm");
 	}
 
+	@Test(expected = IllegalArgumentException.class)
+	public void hashpwFailsWhenSaltIsTooShort() {
+		BCrypt.hashpw("password", "$2a$10$123456789012345678901");
+	}
+
 	@Test
 	public void equalsOnStringsIsCorrect() {
 		assertThat(BCrypt.equalsNoEarlyReturn("", "")).isTrue();