CVE-2025-41248
Description
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass.
Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.
You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.
This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 .
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | >= 6.4.0, < 6.4.10 | 6.4.10 |
org.springframework.security:spring-security-coreMaven | >= 6.5.0, < 6.5.4 | 6.5.4 |
Affected products
49- Range: >= 6.5.0, < 6.5.4
- osv-coords48 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-registrypkg:apk/chainguard/apache-nifi-registry-toolkitpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/chainguard/jenkins-2pkg:apk/chainguard/jenkins-2.504pkg:apk/chainguard/jenkins-2.504-openjdk-17pkg:apk/chainguard/jenkins-2.504-openjdk-21pkg:apk/chainguard/jenkins-2.516pkg:apk/chainguard/jenkins-2.516-openjdk-17pkg:apk/chainguard/jenkins-2.516-openjdk-21pkg:apk/chainguard/jenkins-2-openjdk-17pkg:apk/chainguard/jenkins-2-openjdk-21pkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-docker-agentpkg:apk/chainguard/jenkins-docker-agent-openjdk-17pkg:apk/chainguard/jenkins-docker-agent-openjdk-21pkg:apk/chainguard/jenkins-remotingpkg:apk/chainguard/jenkins-utilspkg:apk/chainguard/nacospkg:apk/chainguard/nacos-compatpkg:apk/chainguard/nacos-dockerpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-registrypkg:apk/wolfi/apache-nifi-registry-toolkitpkg:apk/wolfi/apache-nifi-toolkitpkg:apk/wolfi/jenkins-2pkg:apk/wolfi/jenkins-2-openjdk-17pkg:apk/wolfi/jenkins-2-openjdk-21pkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-docker-agentpkg:apk/wolfi/jenkins-docker-agent-openjdk-17pkg:apk/wolfi/jenkins-docker-agent-openjdk-21pkg:apk/wolfi/jenkins-remotingpkg:apk/wolfi/jenkins-utilspkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:maven/org.springframework.security/spring-security-core
< 2.5.0-r11+ 47 more
- (no CPE)range: < 2.5.0-r11
- (no CPE)range: < 2.5.0-r11
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r11
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.504.3-r5
- (no CPE)range: < 2.504.3-r5
- (no CPE)range: < 2.504.3-r5
- (no CPE)range: < 2.516.2-r1
- (no CPE)range: < 2.516.2-r1
- (no CPE)range: < 2.516.2-r1
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 3.1.0-r0
- (no CPE)range: < 3.1.0-r0
- (no CPE)range: < 3.1.0-r0
- (no CPE)range: < 4.2-r6
- (no CPE)range: < 4.2-r6
- (no CPE)range: < 4.2-r6
- (no CPE)range: < 4.2-r6
- (no CPE)range: < 4.2-r6
- (no CPE)range: < 2.5.0-r11
- (no CPE)range: < 2.5.0-r11
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r6
- (no CPE)range: < 2.5.0-r11
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 2.528-r0
- (no CPE)range: < 4.2-r6
- (no CPE)range: < 4.2-r6
- (no CPE)range: < 4.2-r6
- (no CPE)range: < 4.2-r6
- (no CPE)range: < 4.2-r6
- (no CPE)range: >= 6.4.0, < 6.4.10
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-8v5q-rhf3-jphmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-41248ghsaADVISORY
- github.com/spring-projects/spring-security/commit/d0f93fa6d8338149943ae640c53db07de827867fghsaWEB
- github.com/spring-projects/spring-security/commit/e5694ac7b5e4394b920c6cab48b7bfbd871f84bdghsaWEB
- github.com/spring-projects/spring-security/issues/17898ghsaWEB
- github.com/spring-projects/spring-security/issues/17899ghsaWEB
- github.com/spring-projects/spring-security/releases/tag/6.4.10ghsaWEB
- github.com/spring-projects/spring-security/releases/tag/6.5.4ghsaWEB
- spring.io/security/cve-2025-41248nvdWEB
News mentions
0No linked articles in our index yet.