CVE-2025-41249

16.09.2025, 11:15

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.

Your application may be affected by this if you are using Spring Security's @EnableMethodSecurityfeature.

You are not affected by this if you are not using @EnableMethodSecurityor if you do not use security annotations on methods in generic superclasses or generic interfaces.

This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vmware	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Vulnerability Media Exposure

[GERMAN] VMware Tanzu Spring Framework und Spring Security: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in VMware Tanzu Spring Security und VMware Tanzu Spring Framework ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Published: 2025-09-15T22:00:00+00:00

References

https://spring.io/security/cve-2025-41249