CVE-2025-41249
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-09-16

Assigner: VMware

Description
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurityΒ feature. You are not affected by this if you are not using @EnableMethodSecurityΒ or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-09-16
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-41249
EUVD
EUVD-2025-29537
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
spring spring_framework 6.2.11
spring spring_framework 6.2.0
spring spring_framework 6.1.23
spring spring_framework 5.3.45
spring spring_framework 6.1.0
spring spring_framework 5.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Spring Framework occurs because its annotation detection mechanism may fail to correctly identify annotations on methods within type hierarchies that use parameterized super types with unbounded generics. This can cause security annotations used for authorization decisions to be ignored or misapplied, potentially allowing unauthorized access in applications using Spring Security's @EnableMethodSecurity feature. [1]

Impact Analysis

If your application uses Spring Security's @EnableMethodSecurity and applies security annotations on methods in generic superclasses or interfaces, this vulnerability can lead to incorrect authorization decisions. This means unauthorized users might gain access to protected methods or resources, compromising the security of your application. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade your Spring Framework to a fixed version. Specifically, upgrade to 6.2.11 if using 6.2.x, 6.1.23 if using 6.1.x, or 5.3.45 if using 5.3.x. No additional mitigation steps are necessary beyond upgrading. Note that version 6.0.x is out of support and has no fix available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart