A pair of medium-severity vulnerabilities in the Spring Framework and Spring Security libraries were disclosed on September 15, 2025.
Both flaws involve the annotation detection mechanism used by Spring Security’s method security features and can lead to authorization bypass in applications that rely on parameterized types or unbounded generic superclasses.
Users of affected versions should upgrade to fixed releases or apply recommended mitigations immediately to prevent unauthorized access.
Vulnerability Details
Spring Security’s @EnableMethodSecurity feature relies on detecting method-level annotations such as @PreAuthorize to enforce access controls.
| CVE Identifier | Severity | Publication Date |
| CVE-2025-41248 | Medium | September 15, 2025 |
| CVE-2025-41249 | Medium | September 15, 2025 |
In certain type hierarchies where a superclass or interface uses unbounded generics, the framework may fail to correctly resolve annotations on inherited methods.
Attackers could exploit this by invoking secured methods without proper permission checks, effectively bypassing authorization.
The first issue, tracked as CVE-2025-41248, affects Spring Security versions 6.4.0 through 6.4.9 and 6.5.0 through 6.5.3. It specifically concerns method security annotations on parameterized types.
The second, CVE-2025-41249, spans Spring Framework versions 5.3.0 through 5.3.44, 6.1.0 through 6.1.22, and 6.2.0 through 6.2.10, as well as older unsupported releases.
Both vulnerabilities were responsibly reported by an anonymous researcher and published concurrently.
Organizations using Spring Security’s method-level annotations on generic superclasses or interfaces are at risk of unauthorized method invocation.
Applications that do not use @EnableMethodSecurity or do not apply security annotations on generic types remain unaffected.
To address CVE-2025-41248, users should upgrade to Spring Security 6.4.10 or 6.5.4. For CVE-2025-41249, fixed versions include Spring Framework 5.3.45, 6.1.23 (commercial), and 6.2.11.
No other mitigation steps are required beyond upgrading. If upgrading immediately is not feasible, developers can work around CVE-2025-41248 by declaring all secured methods directly in their target classes rather than inheriting them from generic superclasses.
Development teams should audit their codebases for use of @EnableMethodSecurity and method-level annotations on generic types.
Continuous integration pipelines can include automated dependency scans to flag vulnerable Spring releases.
Updating to the recommended fixed versions will restore correct annotation resolution and prevent security bypass. Finally, teams should review their access-control test suites to ensure that inherited methods are properly covered.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
