CVE-2025-22223

Summary

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. 

You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods

Affected Software

VendorProductVersion RangeStatus
SpringSpring Security6.4.0-6.4.3affected

Weaknesses

  • CWE-290: CWE-290 Authentication Bypass by Spoofing

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References