spring-security-test-6.5.1.jar: 3 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - spring-security-test-6.5.1.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/6.2.8/9da1e690f343c30b6ed6eabd5f60ecc5dd0b225a/spring-beans-6.2.8.jar

Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (spring-security-test version)	Remediation Possible**
CVE-2025-41249	High	7.5	spring-core-6.2.8.jar	Transitive	6.5.5	❌
CVE-2025-41248	High	7.5	spring-security-core-6.5.1.jar	Transitive	N/A*	❌
CVE-2025-41242	Medium	5.9	spring-beans-6.2.8.jar	Transitive	6.5.3	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-41249

Vulnerable Library - spring-core-6.2.8.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/6.2.8/2caf1cef93252f5ef2b7f334b8b4d61f3aecad15/spring-core-6.2.8.jar

Dependency Hierarchy:

• spring-security-test-6.5.1.jar (Root Library)
  • ❌ spring-core-6.2.8.jar (Vulnerable Library)

Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718

Found in base branch: master

Vulnerability Details

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-16

URL: CVE-2025-41249

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41249

Release Date: 2025-09-14

Fix Resolution (org.springframework:spring-core): 6.2.11

Direct dependency fix Resolution (org.springframework.security:spring-security-test): 6.5.5

Step up your Open Source Security Game with Mend here

CVE-2025-41248

Vulnerable Library - spring-security-core-6.5.1.jar

Spring Security

Library home page: https://spring.io/projects/spring-security

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-core/6.5.1/e7df1e6596b39b39f4a01000cab0318c0ed17ab0/spring-security-core-6.5.1.jar

Dependency Hierarchy:

• spring-security-test-6.5.1.jar (Root Library)
  • ❌ spring-security-core-6.5.1.jar (Vulnerable Library)

Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718

Found in base branch: master

Vulnerability Details

Spring Security authorization bypass for method security annotations on parameterized types

Publish Date: 2025-09-16

URL: CVE-2025-41248

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41248

Release Date: 2025-09-16

Fix Resolution: https://github.com/spring-projects/spring-security.git - 6.5.4

Step up your Open Source Security Game with Mend here

CVE-2025-41242

Vulnerable Library - spring-beans-6.2.8.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/6.2.8/9da1e690f343c30b6ed6eabd5f60ecc5dd0b225a/spring-beans-6.2.8.jar

Dependency Hierarchy:

• spring-security-test-6.5.1.jar (Root Library)
  • spring-security-web-6.5.1.jar
    • ❌ spring-beans-6.2.8.jar (Vulnerable Library)

Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718

Found in base branch: master

Vulnerability Details

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:

• the application is deployed as a WAR or with an embedded Servlet container
• the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization
• the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling
  We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

Publish Date: 2025-08-18

URL: CVE-2025-41242

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41242

Release Date: 2025-08-18

Fix Resolution (org.springframework:spring-beans): 6.2.10

Direct dependency fix Resolution (org.springframework.security:spring-security-test): 6.5.3

Step up your Open Source Security Game with Mend here