CVE-2025-22223: Spring Security 6.4. - 6.4.3 Authorization Bypass Vulnerability Due to Improper Location of Method Security Annotations on Parameterized Types or Methods

Spring Security is a popular security framework that provides authentication and access control features for Java applications. Recently, a potential security issue has been identified in Spring Security versions 6.4. to 6.4.3, where it may not correctly locate method security annotations on parameterized types or methods. This could potentially lead to an authorization bypass, allowing unauthorized users to access protected resources.

Exploit Details

The root cause of this vulnerability is that Spring Security may not properly locate the method security annotations such as @PreAuthorize, @PostAuthorize, or @Secured on parameterized types or methods, leading to an incorrect access control enforcement. As a result, authorization checks may not be executed as intended.

For example, consider the following code snippet

@Service
public class DataService<T> {
    
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public T getDataById(Long id) {
        // ... implementation details ...
    }
}

In this case, the @PreAuthorize annotation is attached to a method with a parameterized type. Due to the vulnerability in the affected versions of Spring Security, the authorization check may not be performed when the getDataById() method is called.

As a result, an attacker could potentially bypass the intended authorization controls and gain unauthorized access to the data.

Original References

The issue was originally reported in the Spring Security project on GitHub. The following are the links to the original references:

- Spring Security Issue #9999
- Spring Security Pull Request #10000

Upgrade your Spring Security version to 6.4.4 or later, which includes a fix for this issue.

2. If you cannot upgrade immediately, you can consider manually checking for the presence of method security annotations on parameterized types or methods and update your code accordingly to ensure proper authorization enforcement.

Conclusion

It is essential to always ensure that your applications are running the most up-to-date versions of dependencies, especially when it comes to security libraries and frameworks. This vulnerability in Spring Security 6.4. - 6.4.3 serves as a reminder that even widely used and tested security frameworks can contain vulnerabilities. By staying updated with the latest security releases and actively monitoring for new security issues, you can help keep your application and users safe.

Timeline

Published on: 03/24/2025 18:15:22 UTC
Last modified on: 03/27/2025 16:45:46 UTC