CVE-2025-41249¶
WSO2 Products impacted: no
Customers actions required: no
REPORTED VULNERABILITY¶
A vulnerability was identified in Spring Security's @EnableMethodSecurity annotation, which could allow unauthorized access under specific configurations where method-level security is improperly enforced.
REPORTED PRODUCTS¶
- WSO2 Identity Server : 5.10.0, 5.11.0
- WSO2 API Manager : 3.2.0, 4.0.0
WSO2 JUSTIFICATION¶
Although the vulnerable dependency org.springframework:spring-core is bundled with WSO2 products, it does not introduce any security risk. The vulnerability can only be exploited when the @EnableMethodSecurity annotation is used, which is not present in the relevant WSO2 product codebases.
Therefore, this vulnerability is not exploitable in the aforementioned WSO2 products.