{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-41248","assignerOrgId":"dcf2e128-44bd-42ed-91e8-88f912c1401d","state":"PUBLISHED","assignerShortName":"vmware","dateReserved":"2025-04-16T09:30:25.625Z","datePublished":"2025-09-16T10:10:59.953Z","dateUpdated":"2025-09-18T06:29:51.189Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Spring Security","vendor":"VMware","versions":[{"lessThan":"6.4.11","status":"affected","version":"6.4.x","versionType":"OSS"},{"lessThan":"6.5.5","status":"affected","version":"6.5.x","versionType":"OSS"}]}],"datePublic":"2025-09-15T18:27:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using <code>@PreAuthorize</code>&nbsp;and other method security annotations, resulting in an authorization bypass.</p><p>Your application may be affected by this if you are using Spring Security's <code>@EnableMethodSecurity</code>&nbsp;feature.</p><p>You are not affected by this if you are not using <code>@EnableMethodSecurity</code>&nbsp;or if you do not use security annotations on methods in generic superclasses or generic interfaces.</p><p>This CVE is published in conjunction with <a target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/security/cve-2025-41249\">CVE-2025-41249</a>.</p><br>"}],"value":"The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass.\n\nYour application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.\n\nYou are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.\n\nThis CVE is published in conjunction with  CVE-2025-41249 https://spring.io/security/cve-2025-41249 ."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"providerMetadata":{"orgId":"dcf2e128-44bd-42ed-91e8-88f912c1401d","shortName":"vmware","dateUpdated":"2025-09-18T06:29:51.189Z"},"references":[{"url":"https://spring.io/security/cve-2025-41248"}],"source":{"discovery":"UNKNOWN"},"title":"CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-289","lang":"en","description":"CWE-289 Authentication Bypass by Alternate Name"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-09-16T19:27:50.837990Z","id":"CVE-2025-41248","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-16T19:28:23.179Z"}}]}}