Get a Demo

CVE

CVE-2025-41249

Spring Framework annotation detection mechanism may result in improper authorization

Description

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.

Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.

You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.

This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .

Base CVSS

7.5

EPSS Score

0.06%

Introduced Version

5.1.0.RELEASE

Fix Available

6.2.11,7.0.0-M9

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

Package Name

org.springframework:spring-core

org.springframework:spring-web

org.springframework:spring-core

References

https://github.com/spring-projects/spring-framework/commit/6d710d482a6785b069e35022e81758953afc21ff

https://github.com/spring-projects/spring-framework/releases/tag/v6.2.11

https://nvd.nist.gov/vuln/detail/CVE-2025-41249

https://spring.io/security/cve-2025-41249

https://github.com/spring-projects/spring-framework/issues/35342

https://github.com/spring-projects/spring-framework

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.

Get a Demo

Let's Patch It!

References

AppSec for the Software Development Revolution