CVE-2025-41248
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-09-16

Assigner: VMware

Description
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorizeΒ and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurityΒ feature. You are not affected by this if you are not using @EnableMethodSecurityΒ or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-09-16
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-41248
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
spring spring_security 6.4.2
spring spring_security 6.5.1
spring spring_security 6.4.9
spring spring_security 6.5.4
spring spring_security 6.4.4
spring spring_security 6.4.10
spring spring_security 6.4.7
spring spring_security 6.5.3
spring spring_security 6.4.5
spring spring_security 6.5.2
spring spring_security 6.4.8
spring spring_security 6.4.0
spring spring_security 6.4.1
spring spring_security 6.4.6
spring spring_security 6.5.0
spring spring_security 6.4.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Spring Security occurs because the annotation detection mechanism fails to correctly resolve security annotations like @PreAuthorize on methods within type hierarchies that use parameterized super types with unbounded generics. This flaw can cause an authorization bypass when using the @EnableMethodSecurity feature, allowing unauthorized users to access secured methods. [1]

Impact Analysis

If your application uses Spring Security's @EnableMethodSecurity feature and applies security annotations on methods declared in generic superclasses or interfaces, this vulnerability can allow unauthorized users to bypass authorization controls and access secured methods. If you do not use these configurations, you are not affected. [1]

Mitigation Strategies

To mitigate this vulnerability, upgrade Spring Security to version 6.4.10 or later if you are using the 6.4.x branch, or to version 6.5.4 or later if you are using the 6.5.x branch. If upgrading is not possible, as a workaround, declare all secured target methods directly in their concrete target classes instead of in generic superclasses or interfaces. No additional mitigation steps are required. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41248. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart