REDHAT-BUG-2395723

Published Sep 16, 2025
·
Updated

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 .

Affected Software

1 affected component
Pivotal Spring Security

Event History

Sep 16, 2025
Data Sourced
via Red Hat·11:01 AM
DescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of REDHAT-BUG-2395723?

The severity of REDHAT-BUG-2395723 is classified as high due to the potential for authorization bypass.

2

How do I fix REDHAT-BUG-2395723?

To fix REDHAT-BUG-2395723, update your Spring Security to the latest version where this issue is addressed.

3

What are the potential impacts of REDHAT-BUG-2395723?

The potential impacts of REDHAT-BUG-2395723 include unauthorized access to application functionalities due to flawed method security annotations.

4

What versions of Spring Security are affected by REDHAT-BUG-2395723?

REDHAT-BUG-2395723 affects various versions of Spring Security, particularly those utilizing unbounded generics in type hierarchies.

5

Is there a workaround for REDHAT-BUG-2395723?

A temporary workaround for REDHAT-BUG-2395723 may involve avoiding the use of parameterized super types in method security annotations.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203