9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-41232

GHSA ID

GHSA-9pp5-9c7g-4r83

EPSS Score

0.17905%

CWE

CWE-693

Published

5/21/2025

Updated

5/21/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-41232

CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods

Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass.

Your application may be affected by this if the following are true:

You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and
You have Spring Security method annotations on a private method In that case, the target method may be able to be invoked without proper authorization.

You are not affected if:

You are not using @EnableMethodSecurity(mode=ASPECTJ) or spring-security-aspects, or
You have no Spring Security-annotated private methods

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-41232

GHSA ID

GHSA-9pp5-9c7g-4r83

EPSS Score

0.17905%

CWE

CWE-693

Published

5/21/2025

Updated

5/21/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework.security:spring-security-aspects	maven	>= 6.4.0, < 6.4.6	6.4.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description points to an issue with Spring Security Aspects not correctly locating method security annotations on private methods. The provided commit bf2aaa1b1830e534ba651d422545ac08a115151b directly addresses this by changing how methods are compared within the UniqueSecurityAnnotationScanner. The change from == to .equals() in the findMethod function is the core of the fix. This incorrect comparison would lead to annotations not being found, especially in AspectJ scenarios where methods might be proxied. The PreAuthorizeAspectTests.java file modification further supports that this area was being tested and fixed. The spring-security-aspects package is where AspectJ integration for Spring Security resides, and UniqueSecurityAnnotationScanner is a core component used in this process for discovering annotations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Sprin* S**urity *sp**ts m*y not *orr**tly lo**t* m*t*o* s**urity *nnot*tions on priv*t* m*t*o*s. T*is **n **us* *n *ut*oriz*tion *yp*ss. Your *ppli**tion m*y ** *****t** *y t*is i* t** *ollowin* *r* tru*: * You *r* usin* @*n**l*M*t*o*S**urity(mo

Reasoning

T** vuln*r**ility **s*ription points to *n issu* wit* Sprin* S**urity *sp**ts not *orr**tly lo**tin* m*t*o* s**urity *nnot*tions on priv*t* m*t*o*s. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is *y ***n*in* *o

9.1

Basic Information

Concerned about an active attack path?

CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI