Listen to this Post
The vulnerability exists within the annotation detection mechanism of Spring Security’s method-level security, specifically when using @EnableMethodSecurity. The flaw occurs when the framework attempts to resolve security annotations like `@PreAuthorize` on methods that are inherited from a parameterized superclass or interface using unbounded generics. Due to an error in the type hierarchy resolution logic, the security interceptor may fail to locate the annotation on the inherited method. Consequently, the security constraint is not applied, and the method is executed without the required authorization check, leading to a potential bypass if the method exposes sensitive functionality.
Platform: Spring Security
Version: 6.4.0-6.4.9, 6.5.0-6.5.3
Vulnerability: Authorization Bypass
Severity: High
date: 2025-09-16
Prediction: Patch 2025-09-23
What Undercode Say:
`grep -r “@PreAuthorize” –include=”.java” . | grep “extends\|implements”`
`if (findAnnotation(method, PreAuthorize.class) == null) { proceed(); }`
How Exploit:
Craft request to annotated endpoint bypassing authorization checks.
Protection from this CVE:
Upgrade to 6.4.10, 6.5.4.
Impact:
Unauthorized access to protected methods.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

