Description

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.

Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.

You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.

This CVE is published in conjunction with CVE-2025-41248.

Affected Spring Products and Versions

Spring Framework:

6.2.0 - 6.2.10
6.1.0 - 6.1.22
5.3.0 - 5.3.44
Older, unsupported versions are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)	Fix version	Availability
6.2.x	6.2.11	OSS
6.1.x	6.1.23	Commercial
6.0.x	N/A	Out of support
5.3.x	5.3.45	Commercial

No further mitigation steps are necessary.

Credit

The issue was identified and responsibly reported by an anonymous individual.

References

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:O/RC:C/CR:L/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N&version=3.1

History

2025-09-15: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all

Spring Security Advisories

CVE-2025-41249: Spring Framework Annotation Detection Vulnerability