CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types
CVE-2025-41248

7.5HIGH

Key Information:

Vendor: Vmware
Status: Spring Security
Vendor: CVE Published:; 16 September 2025

What is CVE-2025-41248?

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass.

Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.

You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.

This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 .

Affected Version(s)

Spring Security 6.4.x < 6.4.10

Spring Security 6.5.x < 6.5.4

References

https://spring.io/security/cve-2025-41248

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2025
Vulnerability Reserved
Apr 16, 2025

Vmware

What is CVE-2025-41248?

Affected Version(s)

References

CVSS V3.1

Timeline