Wiz
Vulnerability DatabaseCVE-2025-41248

CVE-2025-41248
Jenkins vulnerability analysis and mitigation

Overview

CVE-2025-41248 is a security vulnerability discovered in Spring Security that affects versions 6.4.0-6.4.10 and 6.5.0-6.5.4. The vulnerability was disclosed on September 15, 2025, and involves an authorization bypass issue in the Spring Security annotation detection mechanism. The flaw specifically affects applications using Spring Security's @EnableMethodSecurity feature, where the system fails to correctly resolve annotations on methods within type hierarchies with parameterized super types containing unbounded generics (Spring Security, NVD).

Technical details

The vulnerability stems from a flaw in how Spring Security processes method security annotations like @PreAuthorize within type hierarchies containing parameterized super types with unbounded generics. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-289 (Authentication Bypass by Alternate Name) (NVD).

Impact

The vulnerability can result in an authorization bypass, potentially allowing unauthorized access to protected methods within affected applications. This security flaw specifically impacts applications that utilize Spring Security's @EnableMethodSecurity feature. Applications that don't use @EnableMethodSecurity or don't implement security annotations on methods in generic superclasses or generic interfaces are not affected (Spring Security, Security Online).

Mitigation and workarounds

Users of affected versions should upgrade to the fixed versions: Spring Security 6.4.11 for 6.4.x users or Spring Security 6.5.5 for 6.5.x users. If immediate upgrading is not possible, a workaround is available by ensuring all secured target methods are declared in their target class (Spring Security, Spring Blog).

Community reactions

The vulnerability was discovered and responsibly reported by Avgustin Marinov. The Spring Security team has actively addressed the issue by releasing patches and providing detailed advisories. The vulnerability was released in conjunction with CVE-2025-41249, indicating a coordinated response to related security issues in the Spring Framework ecosystem (Spring Security).

Additional resources

SourceThis report was generated using AI

Related Jenkins vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-41249HIGH7.5
  • JenkinsJenkins
  • org.springframework::spring-core
NoYesSep 16, 2025
CVE-2025-41248HIGH7.5
  • JenkinsJenkins
  • org.springframework.security:spring-security-core
NoYesSep 16, 2025
CVE-2025-59476MEDIUM5.3
  • JavaJava
  • jenkins-2.516
NoYesSep 17, 2025
CVE-2025-59474MEDIUM5.3
  • JavaJava
  • cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
NoYesSep 17, 2025
CVE-2025-59475MEDIUM4.3
  • JavaJava
  • jenkins
NoYesSep 17, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo