Spring Framework Generic Annotation Detection Flaw in @EnableMethodSecurity
CVE-2025-41249 Published on September 16, 2025
CVE-2025-41249: Spring Framework Annotation Detection Vulnerability
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.
You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.
This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .
Vulnerability Analysis
CVE-2025-41249 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-41249 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2025-41249
stack.watch emails you whenever new vulnerabilities are published in VMware Spring Framework or Oracle. Just hit a watch button to start following.
Affected Versions
VMware Spring Framework:- Version 6.2.x and below 6.2.11 is affected.
- Version 6.1.x and below 6.1.23 is affected.
- Version 5.3.x and below 5.3.45 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.