Security advisory: Two new security vulnerabilities have been discovered in the Spring Framework and Spring Security components identified as CVE-2025-41248 and CVE-2025-41249.

Severity	Medium
CVSS Score	4.4
CVEs	CVE-2025-41248, CVE-2025-41249
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

These issues affect applications that use method-level security annotations like @PreAuthorize to control access to certain methods or features. Under specific conditions when generics are used in parent classes or interfaces, these annotations may not be properly detected, which could allow unauthorized users to access restricted functionality. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Spring Security Authorization Bypass Vulnerability	CVE-2025-41248	Spring Security	Medium	6.5.4 (Open Source) 6.4.10 (Open Source)
Spring Framework Annotation Detection Vulnerability	CVE-2025-41249	Spring Framework	Medium	6.2.11 (Open Source) 6.1.23 (Commercial Support) 5.3.45 (Commercial Support)

Technical Summary 

The vulnerability arises when Spring applications use inheritance (where a class inherits methods from another class) and generics (a way to define methods or classes that can handle different types of data) together. If a secured method, like one marked with the @PreAuthorize annotation (used to enforce security checks), is declared in a generic superclass or interface without clear type definitions, Spring might fail to recognize the security annotation at runtime. This means unauthorized users could potentially access these methods. This issue affects Spring Security versions 6.4.0 to 6.5.3 and Spring Framework versions 5.3.0 to 6.2.10. The Spring team has since released updates to better handle security annotations in such cases, ensuring proper authorization checks. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-41248	Spring Security 6.4.0 – 6.4.9 6.5.0 – 6.5.3	Spring Security may fail to detect method-level security annotations applied to generic superclasses or interfaces, resulting in unauthorized access.	Unauthorized access
CVE-2025-41249	Spring Framework 6.2.0 – 6.2.10 6.1.0 – 6.1.22 5.3.0 – 5.3.44 Older, unsupported versions are also affected.	Spring Framework does not consistently recognize security annotations on methods declared in generic superclasses or interfaces, which can lead to authorization bypass.	Authorization bypass.

Remediation: 

Users should immediately update to the latest patched versions of Spring Security and Spring Framework: 

Spring Security
Affected Version	Fix Version
6.5.x	6.5.4
6.4.x	6.4.10

Spring Framework
Affected Version	Fix Version
6.2.x	6.2.11
6.1.x	6.1.23
6.0.x	N/A (OOS)
5.3.x	5.3.45

Conclusion: 
These vulnerabilities cause Spring Security and Spring Framework to sometimes miss detecting method-level security annotations in generic type hierarchies. This can allow unauthorized users to bypass authorization checks, exposing protected functionality. While the severity is medium, it is important to update to the fixed versions promptly and review security annotation usage on generics to maintain proper access control. 

References: 

• https://spring.io/security/cve-2025-41248 

• https://spring.io/security/cve-2025-41249 

• https://securityonline.info/spring-framework-and-spring-security-vulnerabilities-expose-authorization-bypass-risks-cve-2025-41248-cve-2025-41249/