Two essential vulnerabilities, CVE-2025-41248 and CVE-2025-41249, have emerged in Spring Safety and Spring Framework that would enable attackers to bypass authorization controls in enterprise functions.
These flaws come up when utilizing Spring Safety’s @EnableMethodSecurity characteristic along with method-level annotations reminiscent of @PreAuthorize and @PostAuthorize.
In functions the place service interfaces or summary base courses make use of unbounded generics, the annotation detection mechanism might fail to find safety annotations on overridden strategies, enabling unauthorized entry to protected endpoints.
Key Takeaways1. Spring Safety 6.4.x/6.5.x ignores method-level annotations, enabling bypass.2. Spring Framework 5.3.x/6.1.x/6.2.x fails to detect annotations.3. Improve to fastened variations or redeclare annotations on concrete courses.
Each the authorization bypass and annotation detection flaws are categorised as Medium severity and impression a variety of Spring Safety and Spring Framework variations spanning the 5.x by means of 6.x launch trains.
Authorization Bypass Vulnerability (CVE-2025-41248)
CVE-2025-41248 targets Spring Safety variations 6.4.0 by means of 6.4.9 and 6.5.0 by means of 6.5.3.
When a parameterized superclass defines a secured technique signature, and a subclass fails to redeclare the related annotation, the framework’s metadata resolver doesn’t traverse the generic sort hierarchy accurately.
Attackers might exploit this logic hole by invoking secured operations outlined solely on a generic interface, bypassing authorization checks that depend on @PreAuthorize(“hasRole(‘ADMIN’)”) or comparable SpEL expressions.
The vulnerability yields a CVSS 3.1 base rating of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Annotation Detection Vulnerability (CVE-2025-41249)
CVE-2025-41249 impacts Spring Framework core modules in variations 5.3.0 by means of 5.3.44, 6.1.0 by means of 6.1.22, and 6.2.0 by means of 6.2.10.
On this case, the annotation detection flaw impedes recognition of any technique annotation used for authorization or auditing when outlined on a generic base class.
With out the annotation metadata, Spring Safety can not implement method-level safety constraints.
Each vulnerabilities stem from improper dealing with of unbounded generics throughout annotation introspection, inflicting the runtime to disregard safety metadata and deal with delicate service strategies as in the event that they had been unprotected.
CVETitleCVSS 3.1 ScoreSeverityCVE-2025-41248Spring Safety authorization bypass for technique safety annotations on parameterized types6.5MediumCVE-2025-41249Spring Framework annotation detection vulnerability on generic superclasses6.5Medium
Mitigations
Spring maintainers have launched fastened variations for all affected modules. For Spring Safety, customers ought to improve to six.4.10 or 6.5.4.
For Spring Framework, the advisable upgrades are 5.3.45, 6.1.23, and 6.2.11. Full mitigation particulars can be found within the Spring Safety Advisories and RSS feed.
Groups unable to improve instantly can implement a short lived workaround by declaring all secured strategies immediately within the concrete class slightly than counting on inherited annotations from generic superclasses.
Guaranteeing constant use of @PreAuthorize, @PostAuthorize, and different technique safety annotations on every implementing class will stop the bypass.
Growth groups are urged to assessment their service interfaces for utilization of @EnableMethodSecurity along with generics.
Static evaluation instruments and customized annotation scanning scripts needs to be up to date to detect annotated strategies accurately throughout sort hierarchies.
Safety groups should prioritize these upgrades in CI/CD pipelines to keep away from inadvertent publicity of protected APIs. Steady validation of method-level safety, mixed with code critiques specializing in generic service patterns, will strengthen authorization enforcement and guard in opposition to comparable flaws.
Free dwell webinar on new malware ways from our analysts! Be taught superior detection strategies -> Register for Free
