CVE-2025-41248

Published Sep 16, 2025

Last updated 8 days ago

Spring Security

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-41248 is a vulnerability in Spring Security that arises from the incorrect resolution of annotations on methods within type hierarchies that have a parameterized super type with unbounded generics. This can lead to an authorization bypass when using annotations like @PreAuthorize for method security. This vulnerability affects applications using Spring Security's @EnableMethodSecurity feature. If security annotations are not correctly detected on methods in generic superclasses or interfaces, unauthorized access to protected endpoints may occur. To mitigate this, users of affected Spring Security versions should upgrade to the corresponding fixed versions. If upgrading is not possible immediately, a workaround is to ensure all secured target methods are declared in their target class.

Description: The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 .
Source: security@vmware.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-289

Hype score: Not currently trending

References