The Spring Security and Spring Framework teams have collaborated to release fixes for the following CVEs.

• CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types
• CVE-2025-41249: Spring Framework Annotation Detection Vulnerability

Both of these CVE reports pertain to vulnerabilities that may be encountered when using security annotations on methods within type hierarchies with a parameterized super type with unbounded generics. See the individual CVE reports for further details.

CVE-2025-41248

The Spring Security 6.4.10 and 6.5.4 open source releases address CVE-2025-41248.

CVE-2025-41249

The Spring Framework 6.2.11 open source release addresses CVE-2025-41249.

Open source support for the Spring Framework 5.3.x and 6.1.x generations has ended; however, this fix has been applied to the Spring Framework 5.3.45 and 6.1.23 commercial releases, which are available now.

If you are not a commercial customer, please consider upgrading to a supported open source version of Spring Framework at your earliest convenience. Commercial customers using Spring Boot 2.7, 3.2, or 3.3 can make use of Spring Boot Hotfix releases 2.7.29.1, 3.2.18.1, and 3.3.15.1. Releases are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.