Authorization Bypass in Spring Security Aspects for Private Methods by Spring
CVE-2025-41232

9.1CRITICAL

Key Information:

Vendor: Spring
Status: Spring Security
Vendor: CVE Published:; 21 May 2025

What is CVE-2025-41232?

A vulnerability in Spring Security Aspects allows unauthorized access to private methods that have security annotations. When using @EnableMethodSecurity(mode=ASPECTJ) with spring-security-aspects, if a private method annotated with Spring Security method annotations is invoked, it may bypass intended authorization checks. Applications are at risk only if both conditions are met: the use of @EnableMethodSecurity(mode=ASPECTJ) and annotated private methods. To mitigate this risk, ensure that either the @EnableMethodSecurity is not utilized in the specified mode, or no security annotations are present on private methods.

Affected Version(s)

Spring Security 6.4.x < 6.4.6

References

http://spring.io/security/cve-2025-41232

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2025
Vulnerability Reserved
Apr 16, 2025