CVE-2025-41248

CWE-289CWE-863Incorrect AuthorizationCWE-2858 documents6 sources
Severity
7.5HIGH
EPSS
0.1%
top 79.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Vmware Spring FrameworkVmware Spring Security
Timeline
PublishedSep 16
Latest updateJan 15

Description

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do no

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5vmware/spring_security6.4.x6.4.11+1
CVEListV5vmware/spring_framework6.2.x6.2.11+2

🔴Vulnerability Details

4
GHSA
Spring Security annotation detection mechanism has authorization bypass2025-09-16
CVEList
CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types2025-09-16
OSV
Spring Security annotation detection mechanism has authorization bypass2025-09-16
GHSA
Spring Framework annotation detection mechanism may result in improper authorization2025-09-16

📋Vendor Advisories

3
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Installer (Spring Security) — CVE-2025-412482026-01-15
Red Hat
org.springframework.security/spring-security-core: Spring Security authorization bypass2025-09-16
Red Hat
org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability2025-09-16