AIKIDO-2025-10316
spring-security-config is vulnerable to Authorization Bypass
80
High Risk
This Affects:
spring-security-configTL;DR
Affected versions of this package are vulnerable to an authorization bypass due to Spring Security Aspects failing to correctly detect method-level security annotations on private methods. This issue occurs when @EnableMethodSecurity(mode = ASPECTJ) is used in combination with the spring-security-aspects module, and security annotations are applied to private methods. As a result, these methods may be invoked without the intended authorization checks, potentially allowing unauthorized access.
Who does this affect?
You are affected if using a vulnerable version. You are not affected if you are not using @EnableMethodSecurity(mode = ASPECTJ) or the spring-security-aspects module, or if your application does not include any private methods annotated with Spring Security annotations.
Background info
spring-security-config is vulnerable to Authorization Bypass in versions 6.4.0 - 6.4.4.
How to fix this
Upgrade the org.springframework.security:spring-security-config library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant