CVE-2025-22223: 
Chainguard vulnerability analysis and mitigation

Spring Security versions 6.4.0 through 6.4.3 contain a vulnerability that may not correctly locate method security annotations on parameterized types or methods. This vulnerability was discovered and reported independently by Vasil Ilchev and Neale Upstone, with public disclosure on March 19, 2025 (Spring Security).

The vulnerability affects applications using @EnableMethodSecurity with method security annotations on parameterized superclasses, interfaces, or overridden methods where no annotation exists on the target method. This can result in an authorization bypass vulnerability. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, and is classified as CWE-290 (Authentication Bypass by Spoofing) (NVD).

The vulnerability can lead to authorization bypass, allowing methods to be invoked without proper authorization checks. This affects the confidentiality of the system by potentially exposing protected functionality or data to unauthorized users (Spring Security).

Users of affected versions should upgrade to Spring Security version 6.4.4, which contains the fix for this vulnerability. If upgrading is not possible, two alternative mitigations are available: ensure the target method has the annotations instead of its parameterized ancestor, or publish an AuthorizationManagerBeforeMethodInterceptor that correctly looks for annotations on parameterized types (Spring Security, Spring Blog).