Spring Framework, Authorization Bypass, CVE-2025-41248 (High)

Listen to this Post

The vulnerability stems from a flaw in the Spring Framework’s annotation detection mechanism. When processing type hierarchies, the mechanism fails to correctly resolve security annotations (e.g., @PreAuthorize) on methods inherited from a parameterized supertype that uses unbounded generics. This incorrect resolution occurs during the creation of the runtime proxy for method security. Consequently, the security interceptor may not find the intended authorization annotation and therefore will not enforce the security constraint, leading to a potential authorization bypass. This only affects applications using `@EnableMethodSecurity` with security annotations placed on methods within generic superclasses or interfaces.
Platform: Spring Framework
Version: 5.3.0-5.3.44, 6.0.0-6.1.22, 6.2.0-6.2.10
Vulnerability: Authorization Bypass
Severity: High

date: 2025-09-16

Prediction: 2025-10-14

What Undercode Say:

`grep -r “@PreAuthorize” –include=”.java” . | grep “extends”`

`grep -r “@EnableMethodSecurity” –include=”.java” .`

How Exploit:

Craft HTTP requests targeting endpoints with inherited security annotations from generic superclasses. The authorization check is silently skipped, allowing unauthorized access to protected methods.

Protection from this CVE:

Upgrade to Spring Framework versions 5.3.45, 6.1.23, or 6.2.11. Alternatively, refactor code to move security annotations from generic supertypes to concrete class methods.

Impact:

Unauthorized access to protected functionality, potential data exposure, and privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top