Primary

Context

Spring Security Authorization Bypass Vulnerability in Private Methods

Vulnerability

Patched

A vulnerability exists in Spring Security versions 6.4.0 through 6.4.5, where the Spring Security Aspects may fail to properly identify method security annotations on private methods. This can lead to an authorization bypass, allowing private methods with Spring Security annotations to be invoked without the necessary authorization. The issue arises when using '@EnableMethodSecurity(mode=ASPECTJ)' and 'spring-security-aspects'.

Impact

Exploitation of this vulnerability allows private methods annotated with Spring Security method annotations to be called without proper authorization, potentially leading to unauthorized access or actions within the application.

Remediation

Users of affected Spring Security versions should upgrade to version 6.4.6.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

5.0

exploitability

4.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

5.0

exploitability

4.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Security Authorization Bypass Vulnerability in Private Methods

Vulnerability

Impact

Remediation

Affected Products

Spring Security

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating