GHSA-jmp9-x22r-554x

Source

https://github.com/advisories/GHSA-jmp9-x22r-554x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-jmp9-x22r-554x/GHSA-jmp9-x22r-554x.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-jmp9-x22r-554x

Aliases

CVE-2025-41249

Related

Published

2025-09-16T15:32:34Z

Modified

2025-09-16T22:26:52.749597Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Spring Framework annotation detection mechanism may result in improper authorization

Details

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.

Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.

You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.

This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2025-09-16T11:15:30Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ],
    "github_reviewed_at": "2025-09-16T19:38:20Z"
}

References

Affected packages

Maven / org.springframework:spring-core

Package

Name: org.springframework:spring-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Last affected

5.3.44

Affected versions

5.*

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.13

5.3.14

5.3.15

5.3.16

5.3.17

5.3.18

5.3.19

5.3.20

5.3.21

5.3.22

5.3.23

5.3.24

5.3.25

5.3.26

5.3.27

5.3.28

5.3.29

5.3.30

5.3.31

5.3.32

5.3.33

5.3.34

5.3.35

5.3.36

5.3.37

5.3.38

5.3.39

Maven / org.springframework:spring-core

Package

Name: org.springframework:spring-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Last affected

6.1.22

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

6.0.9

6.0.10

6.0.11

6.0.12

6.0.13

6.0.14

6.0.15

6.0.16

6.0.17

6.0.18

6.0.19

6.0.20

6.0.21

6.0.22

6.0.23

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.1.5

6.1.6

6.1.7

6.1.8

6.1.9

6.1.10

6.1.11

6.1.12

6.1.13

6.1.14

6.1.15

6.1.16

6.1.17

6.1.18

6.1.19

6.1.20

6.1.21

Maven / org.springframework:spring-core

Package

Name: org.springframework:spring-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.11

Affected versions

6.*

6.2.0

6.2.1

6.2.2

6.2.3

6.2.4

6.2.5

6.2.6

6.2.7

6.2.8

6.2.9

6.2.10

Database specific

{
    "last_known_affected_version_range": "<= 6.2.10"
}