CVE-2025-41232 – Authorization bypass in Spring Security Aspects

Abstract

Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: * You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and * You have Spring Security method annotations on a private method In that case, the target method may be able to be invoked without proper authorization. You are not affected if: * You are not using @EnableMethodSecurity(mode=ASPECTJ) or spring-security-aspects, or * You have no Spring Security-annotated private methods

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library's vulnerability.

Affected Products/Versions

Mitigation

None

Detail

CVE-2025-41232

Severity: Critical

CVSS Score: 9.1

CVE-2025-41232 is an authorization bypass in Spring Security Aspects. When an application uses @EnableMethodSecurity(mode=ASPECTJ) together with spring-security-aspects and places Spring Security method annotations on private methods, the aspects may fail to correctly locate those annotations. In such cases, the target private method could be invoked without the expected authorization checks. Applications that do not use ASPECTJ mode or that do not annotate private methods are not affected.

Our review concluded there is no functional impact to our product because the necessary preconditions for exploitation are not present in our codebase (no use of @EnableMethodSecurity(mode=ASPECTJ), no spring-security-aspects dependency, and no private methods annotated with Spring Security method annotations).