CVE-2025-41249 false positive

Author: ronaveva

docs/history/cves/cve-2025-41242.md

@@ -10,4 +10,4 @@ order: 51
  Rundeck and Runbook Automation are not vulnerable to this CVE.
 :::
 
-This is a Spring vulnerability, but the [CVE article](https://spring.io/security/cve-2025-41242) says "deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration."  The Rundeck product does not disable disable the default security features.
+This is a Spring vulnerability, but the [CVE article](https://spring.io/security/cve-2025-41242) says "deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration."  The Rundeck product does not disable the default security features.

docs/history/cves/cve-2025-41249.md

@@ -0,0 +1,13 @@
+---
+order: 53
+---
+
+# CVE-2025-41249
+
+## The Spring Framework annotation detection mechanism may not correctly resolve annotation
+
+::: danger FALSE POSITIVE
+Rundeck and Runbook Automation are not vulnerable to this CVE.
+:::
+
+This is a Spring Framework vulnerability. [CVE-2025-41249](https://nvd.nist.gov/vuln/detail/CVE-2025-41249) only affects applications using the "EnableMethodSecurity" annotation, which we do not use.

docs/history/cves/index.md

@@ -55,4 +55,5 @@ These are the Security Advisories Rundeck has issued in the past.  It is always
 * [CVE-2024-38827 Locale-sensitive string case conversion methods](cve-2024-38827.md).
 * [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md).
 * [CVE-2025-41242 Spring Path traversal](cve-2025-41242.md).
-* [CVE-2025-48924 Issue in Apache Commons Lang](cve-2025-48924.md)
+* [CVE-2025-48924 Issue in Apache Commons Lang](cve-2025-48924.md)
+* [CVE-2025-41249 Spring Framework annotation detection mechanism may not correctly resolve annotation](cve-2025-41249.md)