AIKIDO-2025-10172
spring-security-config is vulnerable to Authorization Bypass
80
High Risk
This Affects:
spring-security-configTL;DR
Affected versions of this package are vulnerable to an authorization bypass due to improper detection of method security annotations on parameterized types or overridden methods. When using @EnableMethodSecurity, if security annotations are applied to a parameterized superclass, interface, or overridden method—without being explicitly defined on the target method—Spring Security may fail to enforce access control, allowing unauthorized access.
Who does this affect?
You are affected if using a vulnerable version, while applications remain unaffected if they do not use @EnableMethodSecurity, avoid applying method security annotations to parameterized types or methods, and explicitly attach all security annotations to target methods.
Background info
spring-security-config is vulnerable to Authorization Bypass in versions 6.4.0 - 6.4.3.
How to fix this
Upgrade the org.springframework.security:spring-security-config library to the patch version. If upgrading is not an option, you can either ensure annotations are placed on the target method instead of its parameterized ancestor or publish an AuthorizationManagerBeforeMethodInterceptor to correctly detect annotations on parameterized types.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant