Two critical vulnerabilities, CVE-2025-41248 and CVE-2025-41249, have emerged in Spring Security and Spring Framework that could allow attackers to bypass authorization controls in enterprise applications.
These flaws arise when using Spring Security’s @EnableMethodSecurity feature in conjunction with method-level annotations such as @PreAuthorize and @PostAuthorize.
In applications where service interfaces or abstract base classes employ unbounded generics, the annotation detection mechanism may fail to locate security annotations on overridden methods, enabling unauthorized access to protected endpoints.
Key Takeaways
1. Spring Security 6.4.x/6.5.x ignores method-level annotations, enabling bypass.
2. Spring Framework 5.3.x/6.1.x/6.2.x fails to detect annotations.
3. Upgrade to fixed versions or redeclare annotations on concrete classes.
Both the authorization bypass and annotation detection flaws are classified as Medium severity and impact a wide range of Spring Security and Spring Framework versions spanning the 5.x through 6.x release trains.
Authorization Bypass Vulnerability (CVE-2025-41248)
CVE-2025-41248 targets Spring Security versions 6.4.0 through 6.4.9 and 6.5.0 through 6.5.3.
When a parameterized superclass defines a secured method signature, and a subclass fails to redeclare the relevant annotation, the framework’s metadata resolver does not traverse the generic type hierarchy correctly.
Attackers may exploit this logic gap by invoking secured operations defined only on a generic interface, bypassing authorization checks that rely on @PreAuthorize(“hasRole(‘ADMIN’)”) or similar SpEL expressions.
The vulnerability yields a CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Annotation Detection Vulnerability (CVE-2025-41249)
CVE-2025-41249 affects Spring Framework core modules in versions 5.3.0 through 5.3.44, 6.1.0 through 6.1.22, and 6.2.0 through 6.2.10.
In this case, the annotation detection flaw impedes recognition of any method annotation used for authorization or auditing when defined on a generic base class.
Without the annotation metadata, Spring Security cannot enforce method-level security constraints.
Both vulnerabilities stem from improper handling of unbounded generics during annotation introspection, causing the runtime to ignore security metadata and treat sensitive service methods as if they were unprotected.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-41248 | Spring Security authorization bypass for method security annotations on parameterized types | 6.5 | Medium |
| CVE-2025-41249 | Spring Framework annotation detection vulnerability on generic superclasses | 6.5 | Medium |
Mitigations
Spring maintainers have released fixed versions for all affected modules. For Spring Security, users should upgrade to 6.4.10 or 6.5.4.
For Spring Framework, the recommended upgrades are 5.3.45, 6.1.23, and 6.2.11. Full mitigation details are available in the Spring Security Advisories and RSS feed.
Teams unable to upgrade immediately can enforce a temporary workaround by declaring all secured methods directly in the concrete class rather than relying on inherited annotations from generic superclasses.
Ensuring consistent use of @PreAuthorize, @PostAuthorize, and other method security annotations on each implementing class will prevent the bypass.
Development teams are urged to review their service interfaces for usage of @EnableMethodSecurity in conjunction with generics.
Static analysis tools and custom annotation scanning scripts should be updated to detect annotated methods correctly across type hierarchies.
Security teams must prioritize these upgrades in CI/CD pipelines to avoid inadvertent exposure of protected APIs. Continuous validation of method-level security, combined with code reviews focusing on generic service patterns, will strengthen authorization enforcement and guard against similar flaws.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
