By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-41249

Privilege Abuse
Affects
Spring Framework
in
Spring
No items found.
Versions
>=5.3.0 <=5.3.44, >=6.0.0 <=6.0.29, >=6.1.0 <6.1.23, >=6.2.0 <6.2.11
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

One of Spring Security’s features—method security, enabled via @EnableMethodSecurity—allows developers to use annotations on methods (e.g. @PreAuthorize, @RolesAllowed) to enforce authorization decisions. When using these features, a possible Privilege Abuse vulnerability (CVE-2025-41249) has been discovered in Spring Framework’s annotation detection mechanism. 

This occurs when methods are declared in generic superclasses or generic interfaces with unbounded generics, Spring might fail to correctly resolve security annotations on those methods. This defect can lead to authorization annotations being ignored, potentially allowing unauthorized access if the application relies on them for security enforcement.

A Privilege Abuse vulnerability occurs when a system grants a user elevated or sensitive privileges, and those privileges are misused either intentionally by a malicious actor or unintentionally due to flawed enforcement mechanisms. Instead of breaking past access controls, attackers exploit the privileges they already have—or that the system incorrectly grants them—to perform unauthorized actions. This typically happens when security annotations, policies, or enforcement layers fail to correctly apply restrictions, creating opportunities for abuse.

Privilege abuse is a serious security risk because it can result in:

  • Excessive Access to Sensitive Data: Users may leverage unintended privileges to read or manipulate confidential information such as customer data, financial records, or intellectual property.
  • Escalated Operations: Attackers can perform privileged actions that should normally be restricted, such as invoking administrative functions or executing protected business logic.
  • Insider Threats: Authorized users may exploit their granted privileges beyond intended use, intentionally or unintentionally, leading to security breaches.
  • System Integrity Risks: Abuse of misapplied privileges can enable unauthorized changes, manipulation of application state, or chaining into further compromises.

This issue affects multiple versions of Spring Framework’s spring-core, spring-web and spring-messaging packages.

Details

Module Info

Vulnerability Info

The security flaw applies when Spring Security’s method security is used (e.g. annotations used via @EnableMethodSecurity). This CVE is also related with the Spring Security CVE-2025-41248.

The annotation detection logic does not always detect method-level security annotations when the method is defined in a superclass or interface whose type is parameterized with unbounded generics. Because of this, Spring may assume there is no annotation and skip the authorization check.

An application is vulnerable if the following conditions are true:

  • Your application uses Spring Security’s @EnableMethodSecurity
  • You define security annotations (e.g. @PreAuthorize, @Secured) on methods declared in a superclass or interface that is generic and whose type parameters are unbounded (i.e. without explicit type bounds).

Example

interface GenericControllerInterface<A, B> {

  @PreAuthorize
  void test(A value1, B value2);

}

abstract static class GenericControllerAbstractSuperclass<C> implements GenericControllerInterface<Long, C> {

  @Override
  public void test(Long value1, C value2) {
    // implementation
  }

}

static class GenericControllerImpl extends GenericControllerAbstractSuperclass<String> {
}

Mitigation

Only recent versions of Spring Framework are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Framework
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • Avgustin Marinov

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-41249
PROJECT Affected
Spring Framework
Versions Affected
>=5.3.0 <=5.3.44, >=6.0.0 <=6.0.29, >=6.1.0 <6.1.23, >=6.2.0 <6.2.11
Published date
September 22, 2025
≈ Fix date
September 16, 2025
Fixed in
NES for Spring
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Privilege Abuse
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.