Spring Framework and Spring Security Vulnerabilities Expose Authorization Bypass Risks (CVE-2025-41248 & CVE-2025-41249)

The Spring team has disclosed two related vulnerabilities—CVE-2025-41248 and CVE-2025-41249—that affect Spring Security and the Spring Framework. Both issues stem from annotation resolution flaws in method security checks when parameterized types with unbounded generics are involved. While rated CVSS 4.4 (Medium severity), these vulnerabilities pose meaningful risks for applications relying on method-level security annotations such as @PreAuthorize.

CVE-2025-41248: Spring Security Authorization Bypass

The first issue impacts Spring Security. As the advisory explains, “The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass.”

This vulnerability affects applications that enable method-level security via @EnableMethodSecurity. If your project does not use this feature or does not rely on security annotations in generic superclasses or interfaces, you are not exposed.

Affected versions:

• Spring Security 6.4.0 – 6.4.9
• Spring Security 6.5.0 – 6.5.3

Fixes:

• Spring Security 6.4.10 (OSS)
• Spring Security 6.5.4 (OSS)

CVE-2025-41249: Spring Framework Annotation Detection Flaw

A related flaw exists in the Spring Framework itself. According to the advisory, “The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.”

As with CVE-2025-41248, only projects that leverage @EnableMethodSecurity and place security annotations on generic type hierarchies are at risk.

Affected versions:

• Spring Framework 6.2.0 – 6.2.10
• Spring Framework 6.1.0 – 6.1.22
• Spring Framework 5.3.0 – 5.3.44

Older unsupported versions

Fixes:

• Spring Framework 6.2.11 (OSS)
• Spring Framework 6.1.23 (Commercial)
• Spring Framework 5.3.45 (Commercial)

Mitigation and Recommendations

For both CVEs, the Spring team strongly advises upgrading to the patched versions. If upgrades are not immediately possible, the advisory notes: “you can ensure all secured target methods are declared in their target class.”

Related Posts:

• New Phishing Trend: Generic Pages Impersonate Any Brand
• Spring Framework Flaw Allows Unauthorized Access via Security Bypass
• Spring Security Updates Address Authorization Bypass and Password Length Vulnerabilities
• Canon Fixes Critical Printer Driver Flaw: CVE-2025-1268 Alert
• Spring Framework Multiple Security Vulnerability