Skip to content

spring-boot-docker-compose-3.5.3.jar: 1 vulnerabilities (highest severity is: 7.5) #33

New issue
New issue
Open
Open
spring-boot-docker-compose-3.5.3.jar: 1 vulnerabilities (highest severity is: 7.5)#33
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Sep 16, 2025
Vulnerable Library - spring-boot-docker-compose-3.5.3.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/6.2.8/2caf1cef93252f5ef2b7f334b8b4d61f3aecad15/spring-core-6.2.8.jar

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (spring-boot-docker-compose version) Remediation Possible**
CVE-2025-41249 High 7.5 spring-core-6.2.8.jar Transitive 3.5.6

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-41249

Vulnerable Library - spring-core-6.2.8.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/6.2.8/2caf1cef93252f5ef2b7f334b8b4d61f3aecad15/spring-core-6.2.8.jar

Dependency Hierarchy:

  • spring-boot-docker-compose-3.5.3.jar (Root Library)
    • spring-boot-3.5.3.jar
      • spring-core-6.2.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-16

URL: CVE-2025-41249

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41249

Release Date: 2025-09-14

Fix Resolution (org.springframework:spring-core): 6.2.11

Direct dependency fix Resolution (org.springframework.boot:spring-boot-docker-compose): 3.5.6

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions