This came up during a penetration test where they were trying to force error 500 pages to determine extra system information.
When they sent in bad Base64 string, e.g. "0" or "65535", the Base64.isArrayByteBase64() check in AbstractRememberMeServices.decodeCookie() is insufficient since it only checks that the characters are part of the Base64 alphabet, not that the string has a length divisible by 4 or other sanity checks.
The result is a runtime exception that's not caught in AbstractRememberMeServices.autoLogin() so it propagates out as a 500 exception. Adding a check for RuntimeException would be consistent with the rest of the code: