Security Advisory

Spring Product Security Update Advisory

  • Sep 19 2025
Spring Product Security Update Advisory

Overview

 

We have released security updates to fix vulnerabilities in Spring products. Users of affected products are advised to update to the latest version.
 

 

Affected Products

 

CVE-2025-41243

 

Spring Cloud Gateway version: 4.3.0 or higher and lower than 4.3.1
Spring Cloud Gateway version: 4.2.0 or later but not earlier than 4.2.5
Spring Cloud Gateway version: 4.1.0 or higher but lower than 4.1.11
Spring Cloud Gateway version: 4.0.0 full
Spring Cloud Gateway version: 3.1.0 or later but less than 3.1.11

 

CVE-2025-41248

 

Spring Security version: 6.4.0 or later but not earlier than 6.4.9
Spring Security version: 6.5.0 or later but not earlier than 6.5.3

 

CVE-2025-41249

 

Spring Framework version: 6.2.0 or later and 6.2.10 or earlier
Spring Framework version: 6.1.0 or later and 6.1.22 or earlier
Spring Framework version: 5.3.0 or later and 5.3.44 or earlier

 

 

Resolved Vulnerabilities

 

Spring environment property modification vulnerability in Spring Cloud Gateway (CVE-2025-41243)
Method Security Annotation Privilege Bypass Vulnerability in Spring Security (CVE-2025-41248)
Annotation Detection Vulnerability in Spring Framework (CVE-2025-41249)

 

 

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2025-41243

 

Spring Cloud Gateway version: 4.3.1
Spring Cloud Gateway version: 4.2.5
Spring Cloud Gateway version: 4.1.11
Spring Cloud Gateway version: 3.1.11

 

CVE-2025-41248

 

Spring Security version: 6.4.10
Spring Security version: 6.5.4

 

CVE-2025-41249

 

Spring Framework version: 6.2.11
Spring Framework version: 6.1.23
Spring Framework version: 5.3.45

 

 

References

 

[1] CVE-2025-41243: Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux
https://spring.io/security/cve-2025-41243
[2] CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types
https://spring.io/security/cve-2025-41248
[3] CVE-2025-41249: Spring Framework Annotation Detection Vulnerability
https://spring.io/security/cve-2025-41249

Tags:
Previous Post

Next Post