Base Score

MEDIUM5.3

CVE-2025-22223

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods

VectorNETWORK

Published Bysecurity@vmware.com

Published DateMar 24, 2025, 18:15

Affected Versions(1)

org.springframework.security:spring-security-core(Maven)

Introduced6.4.0

Fixed6.4.4

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.springframework.security:spring-security-core(Maven)	6.4.0	6.4.4	N/A

Weakness Type (CWE):CWE-290

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE

References

https://spring.io/security/cve-2025-22223

Base Score

MEDIUM5.3

Weakness Type (CWE):CWE-290

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE