CVE-2025-41248 & CVE-2025-41249: Vulnerabilities in Spring Framework, Spring Security Lead to Authorization Bypass, Expose Sensitive Data
Spring Framework is a lightweight Java framework widely used for building scalable enterprise applications. It is often used in conjunction with Spring Security to enforce authorization and method-level access controls. Because many enterprise systems depend on Spring, any security issue affecting the framework can have a widespread impact, as demonstrated by Spring4Shell (CVE-2022-22965), a critical remote code execution vulnerability that highlighted the risks of unpatched applications.
In September 2025, two novel vulnerabilities, CVE-2025-41248 and CVE-2025-41249, were disclosed. These flaws affect Spring Framework and Spring Security and involve incorrect detection of security annotations in certain class hierarchies, which can lead to authorization bypass or exposure of sensitive data.
With over 35,000 new CVEs already logged by NIST this year, cybersecurity teams face mounting pressure to stay ahead. Vulnerability exploitation remains the leading attack vector, and as cyber threats grow more sophisticated, proactive detection is essential to reducing the attack surface and mitigating risk.
Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.
Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering, which is now enhanced with a new AI Chat Bot mode and the MCP tools support. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.
CVE-2025-41248 & CVE-2025-41249 Analysis
The newly disclosed vulnerabilities CVE-2025-41248 and CVE-2025-41249 in Spring Security and Spring Framework highlight how flaws in annotation detection can undermine enterprise defenses. Both vulnerabilities are tied to Spring’s failure to consistently resolve annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics. This can cause method-level security annotations, including @PreAuthorize, to be skipped, leaving protected methods accessible to unauthorized users.
CVE-2025-41248 affects Spring Security 6.4.0 through 6.4.9 and 6.5.0 through 6.5.3, where the framework may fail to detect method-level security annotations in generic superclasses or interfaces, resulting in unauthorized access. CVE-2025-41249 is a closely related flaw in the Spring Framework itself, impacting versions 6.2.0 through 6.2.10, 6.1.0 through 6.1.22, and 5.3.0 through 5.3.44, as well as older unsupported versions. In this case, the framework does not consistently recognize annotations declared on methods in generic type hierarchies, which can lead to authorization bypass.
Only applications that enable method-level security with @EnableMethodSecurity and rely on annotations placed on generic interfaces or superclasses are exposed. The risk is significant for these projects. Attackers could gain access to sensitive data or execute business logic outside of intended controls, all without bypassing authentication.
The Spring team has released patched versions addressing CVE-2025-41248 and CVE-2025-41249 flaws, and immediate upgrades are strongly recommended.
Patched versions:
- Spring Security: 6.4.10, 6.5.4
- Spring Framework: 6.2.11, 6.1.23, 5.3.45
For organizations that cannot patch right away, the advisory suggests declaring all secured target methods directly in their target class as a temporary mitigation.
As vulnerabilities in widely used software continue to rise, organizations are advised to adopt proactive security practices, such as consistent patch management and ongoing monitoring for unusual activity, to safeguard against emerging threats. SOC Prime equips security teams with a complete product suite backed by AI, automation, and real-time threat intelligence and built on zero-trust security principles to enable organizations to outscale emerging threats and enhance cyber resilience.
