Diagram illustrating Spring Security authorization bypass due to annotation detection flaws on generic superclasses in Spring Framework and Spring Security.

Two medium-severity vulnerabilities in Spring Framework and Spring Security, disclosed on September 15, 2025, allow authorization bypass due to flaws in annotation detection on generic superclasses or interfaces. CVE-2025-41248 affects Spring Security versions 6.4.0–6.4.9 and 6.5.0–6.5.3, while CVE-2025-41249 impacts Spring Framework versions 5.3.0–5.3.44, 6.1.0–6.1.22, and 6.2.0–6.2.10.

Diagram illustrating Spring Security authorization bypass due to annotation detection flaws on generic superclasses in Spring Framework and Spring Security.Diagram illustrating Spring Security authorization bypass due to annotation detection flaws on generic superclasses in Spring Framework and Spring Security.

These issues cause the framework to miss security annotations on inherited methods, enabling attackers to invoke secured methods without proper checks. Users should upgrade to Spring Security 6.4.10/6.5.4 and Spring Framework 5.3.45/6.1.23/6.2.11 immediately.

Diagram illustrating Spring Security authorization bypass due to annotation detection flaws on generic superclasses in Spring Framework and Spring Security.Diagram illustrating Spring Security authorization bypass due to annotation detection flaws on generic superclasses in Spring Framework and Spring Security.

If upgrading is not possible, declaring secured methods directly in target classes can mitigate CVE-2025-41248. Teams should audit for @EnableMethodSecurity usage on generics and update tests to cover inherited methods.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security