Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN619
_____________________________________________________________________

DATE                : 17/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring Framework versions prior
                             to 6.2.11, 6.1.23, 5.3.45.

=====================================================================
https://spring.io/security/cve-2025-41249/
_____________________________________________________________________


CVE-2025-41249: Spring Framework Annotation Detection Vulnerability
MEDIUM | SEPTEMBER 15, 2025 | CVE-2025-41249

Description

The Spring Framework annotation detection mechanism may not correctly
resolve annotations on methods within type hierarchies with a
parameterized super type with unbounded generics. This can be an
issue if such annotations are used for authorization decisions.

Your application may be affected by this if you are using Spring
Security's @EnableMethodSecurity feature.

You are not affected by this if you are not using
@EnableMethodSecurity or if you do not use security annotations on
methods in generic superclasses or generic interfaces.

This CVE is published in conjunction with CVE-2025-41248.

Affected Spring Products and Versions

Spring Framework:

    6.2.0 - 6.2.10
    6.1.0 - 6.1.22
    5.3.0 - 5.3.44
    Older, unsupported versions are also affected.


Mitigation

Users of affected versions should upgrade to the corresponding
fixed version.


Affected version(s)         Fix version         Availability

6.2.x                   6.2.11          OSS
6.1.x                   6.1.23          Commercial
6.0.x                   N/A             Out of support
5.3.x                   5.3.45          Commercial

No further mitigation steps are necessary.


Credit

The issue was identified and responsibly reported by an
anonymous individual.


References

    https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:O/RC:C/CR:L/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N&version=3.1


History

    2025-09-15: Initial vulnerability report published.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================