CVE-2025-41249
Authorization Bypass vulnerability in spring-core (Maven)
What is CVE-2025-41249 About?
This authorization bypass vulnerability in Spring Framework arises from incorrect annotation resolution on methods in generic super types, affecting Spring Security's `@EnableMethodSecurity`. It can lead to improper authorization decisions, potentially granting unauthorized access. The vulnerability is specific to systems using generic superclasses and method-level security annotations.
Affected Software
- org.springframework:spring-core
- >6.2.0, <6.2.11
- >5.3.0, <=5.3.44
- >6.0.0, <=6.1.22
Technical Details
The Spring Framework's annotation detection mechanism may fail to correctly resolve security-related annotations (e.g., Spring Security's @PreAuthorize, @PostAuthorize, etc.) placed on methods within a type hierarchy that involves a parameterized super type with unbounded generics. When a concrete class inherits from such a generic superclass or implements such a generic interface, and a method in the generic super-type is annotated for authorization, the annotation processor might not properly identify and apply these annotations on the inherited or implemented method in the concrete class. This misconfiguration can lead to a scenario where authorization decisions are not correctly enforced for affected methods, potentially allowing unauthorized access to resources or operations that should be protected.
What is the Impact of CVE-2025-41249?
Successful exploitation may allow attackers to bypass intended authorization controls, potentially leading to unauthorized access to sensitive functionality, data, or privileges within an application.
What is the Exploitability of CVE-2025-41249?
Exploitation complexity is moderate to high, as it requires a deep understanding of the application's class hierarchy, generic type usage, and security annotation placement. No direct authentication bypass is implied, rather the vulnerability allows a user who might have some level of authentication to perform actions for which they lack appropriate authorization. This is an internal logical flaw, not a remote attack vector in itself, but it can be triggered remotely if the vulnerable method is exposed. The key prerequisites are the use of Spring Security's @EnableMethodSecurity, method-level security annotations on generic superclasses or interfaces, and a specific parameterized super type with unbounded generics. The risk factors that increase exploitation likelihood include complex inheritance structures, widespread use of generics in business logic, and insufficient testing of authorization enforcement across all method overrides.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-41249?
Available Upgrade Options
- org.springframework:spring-core
- >6.2.0, <6.2.11 → Upgrade to 6.2.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/spring-projects/spring-framework/commit/6d710d482a6785b069e35022e81758953afc21ff
- https://spring.io/security/cve-2025-41249
- https://spring.io/security/cve-2025-41249
- https://osv.dev/vulnerability/GHSA-jmp9-x22r-554x
- https://github.com/spring-projects/spring-framework/releases/tag/v6.2.11
- https://github.com/spring-projects/spring-framework/issues/35342
- https://nvd.nist.gov/vuln/detail/CVE-2025-41249
- https://github.com/spring-projects/spring-framework
What are Similar Vulnerabilities to CVE-2025-41249?
Similar Vulnerabilities: CVE-2023-34035 , CVE-2022-22971 , CVE-2021-22096 , CVE-2020-5390 , CVE-2019-3795
