Patched Authentication Bypass under Actuator Health groups paths vulnerability (CVE-2026-22731).
Patched Authentication Bypass under Actuator CloudFoundry endpoints vulnerability (CVE-2026-22733).

Dependency Upgrades

Glassfish JAXB 4.0.7
Hibernate 6.6.45.Final
Jackson Bom 2.18.6
Jakarta XML WS 4.0.3
JBoss Logging 3.6.3.Final
Jetty 12.0.33
Lombok 1.18.44
Maven Failsafe Plugin 3.5.5
Maven Shade Plugin 3.6.2
Maven Surefire Plugin 3.5.5
Reactor Bom 2024.0.16
Spring Authorization Server (NES) 1.4.8-spring-authorization-server-1.4.10
Spring Batch (NES) 5.2.4-spring-batch-5.2.6
Spring Data BOM (NES) 2024.1.13-spring-data-bom-2024.1.15
Spring Framework 6.2.17
Spring GraphQL (NES) 1.3.7-spring-graphql-1.3.9
Spring HATEOAS (NES) 2.4.1-spring-hateoas-2.4.3
Spring Integration (NES) 6.4.10-spring-integration-6.4.12
Spring Kafka 3.3.14
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.19
Spring Pulsar 1.2.16
Spring Security (NES) 6.4.13-spring-security-6.4.15
Spring Session (NES) 3.4.7-spring-session-3.4.9
Spring Web Services (NES) 4.0.17-spring-ws-4.0.19
Undertow 2.3.24.Final

3.3.18

Released Mar 25, 2026

CVE-2026-22733

Full Version:

3.3.13-spring-boot-3.3.18

Bug Fixes

Patched Authentication Bypass under Actuator CloudFoundry endpoints vulnerability (CVE-2026-22733).

Dependency Upgrades

Glassfish JAXB 4.0.7
Jakarta XML WS 4.0.3
Jetty 12.0.33
Lombok 1.18.44
Spring AMQP (NES) 3.1.12-spring-amqp-3.1.17
Spring Authorization Server (NES) 1.3.7-spring-authorization-server-1.3.9
Spring Batch (NES) 5.1.3-spring-batch-5.1.9
Spring Data BOM (NES) 2024.0.13-spring-data-bom-2024.0.15
Spring Framework (NES) 6.1.21-spring-framework-6.1.26
Spring GraphQL (NES) 1.3.7-spring-graphql-1.3.9
Spring HATEOAS (NES) 2.3.4-spring-hateoas-2.3.6
Spring Integration (NES) 6.3.11-spring-integration-6.3.13
Spring Kafka (NES) 3.2.10-spring-kafka-3.2.12
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.19
Spring Pulsar (NES) 1.1.13-spring-pulsar-1.1.15
Spring Security (NES) 6.3.10-spring-security-6.3.12
Spring Session (NES) 3.3.7-spring-session-3.3.9
Spring Web Services (NES) 4.0.17-spring-ws-4.0.19
Undertow 2.3.24.Final

3.2.24

Released Mar 25, 2026

CVE-2026-22733

Full Version:

3.2.12-spring-boot-3.2.24

Bug Fixes

Patched Authentication Bypass under Actuator CloudFoundry endpoints vulnerability (CVE-2026-22733).

Dependency Upgrades

Glassfish JAXB 4.0.7
Jakarta XML WS 4.0.3
Jetty 12.0.33
Lombok 1.18.44
Undertow 2.3.24.Final
Spring AMQP (NES) 3.1.12-spring-amqp-3.1.17
Spring Authorization Server (NES) 1.2.7-spring-authorization-server-1.2.12
Spring Batch (NES) 5.1.3-spring-batch-5.1.9
Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.17
Spring Framework (NES) 6.1.21-spring-framework-6.1.26
Spring GraphQL (NES) 1.2.9-spring-graphql-1.2.12
Spring HATEOAS (NES) 2.2.5-spring-hateoas-2.2.10
Spring Integration (NES) 6.2.11-spring-integration-6.2.18
Spring Kafka (NES) 3.1.10-spring-kafka-3.1.15
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.19
Spring Pulsar (NES) 1.0.12-spring-pulsar-1.0.17
Spring Security (NES) 6.2.8-spring-security-6.2.14
Spring Session (NES) 3.2.7-spring-session-3.2.12
Spring Web Services (NES) 4.0.17-spring-ws-4.0.19

2.7.36

Released Mar 25, 2026

CVE-2026-22733

Full Version:

2.7.18-spring-boot-2.7.36

Bug Fixes

Patched Authentication Bypass under Actuator CloudFoundry endpoints vulnerability (CVE-2026-22733).

Dependency Upgrades

Lombok 1.18.44
Neo4j Java Driver 4.4.22
Spring AMQP (NES) 2.4.17-spring-amqp-2.4.25
Spring Batch (NES) 4.3.10-spring-batch-4.3.18
Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.25
Spring Framework (NES) 5.3.39-spring-framework-5.3.50
Spring GraphQL (NES) 1.0.6-spring-graphql-1.0.15
Spring HATEOAS (NES) 1.5.6-spring-hateoas-1.5.13
Spring Integration (NES) 5.5.20-spring-integration-5.5.30
Spring Kafka (NES) 2.8.11-spring-kafka-2.8.19
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.11
Spring Retry (NES) 1.3.4-spring-retry-1.3.10
Spring Security (NES) 5.7.14-spring-security-5.7.23
Spring Session BOM (NES) 2021.2.3-spring-session-bom-2021.2.11
Spring Web Services (NES) 3.1.8-spring-ws-3.1.16
Tomcat 9.0.116

2.5.17

Released Mar 25, 2026

CVE-2026-22733

Full Version:

2.5.15-spring-boot-2.5.17

Bug Fixes

Patched Authentication Bypass under Actuator CloudFoundry endpoints vulnerability (CVE-2026-22733).

Dependency Upgrades

Spring AMQP (NES) 2.3.16-spring-amqp-2.3.18
Spring Batch (NES) 4.3.10-spring-batch-4.3.18
Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.14
Spring Framework (NES) 5.3.39-spring-framework-5.3.50
Spring HATEOAS (NES) 1.3.7-spring-hateoas-1.3.9
Spring Integration (NES) 5.5.20-spring-integration-5.5.30
Spring Kafka (NES) 2.7.14-spring-kafka-2.7.16
Spring LDAP (NES) 2.3.8-spring-ldap-2.3.10
Spring REST Docs (NES) 2.0.8-spring-restdocs-2.0.10
Spring Retry (NES) 1.3.4-spring-retry-1.3.10
Spring Security (NES) 5.5.8-spring-security-5.5.10
Spring Session BOM (NES) 2021.0.6-spring-session-bom-2021.0.8
Spring Web Services (NES) 3.1.8-spring-ws-3.1.16

2.5.16

Released Mar 11, 2026

CVE-2025-22235

CVE-2024-38807

Full Version:

2.5.15-spring-boot-2.5.16

Bug Fixes

Incorrect matcher generated by Actuator's EndpointRequest.to() when the endpoint is not exposed (CVE-2025-22235).
Signature forgery vulnerability in Spring Boot's jar loader (CVE-2024-38807).
Fixed TLSv1.3 cipher configuration being silently ignored after Tomcat 9.0.115 upgrade. Applications that configured TLSv1.3 ciphers via server.ssl.ciphers or via options.ciphers in an SSL Bundle would have those ciphers silently dropped, falling back to all default ciphers.
- See our blog post for details: Silent TLS Cipher Downgrade in Spring Boot.

Notes

This release originates from the open‑source Spring Boot repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Boot 2.5.15.

Dependency Upgrades

ActiveMQ 5.16.8
DB2 JDBC 11.5.9.0
FreeMarker 2.3.34
Glassfish JAXB 2.3.9
Groovy 3.0.25
Infinispan 12.1.16.Final
Jackson Bom 2.12.7.20240502
Jakarta Mail 1.6.8
Janino 3.1.12
Jaybird 4.0.10.java8
Jetty EL 9.0.107
Jetty Reactive HTTPClient 1.1.19
Jetty 9.4.58.v20250814
Johnzon 1.2.22
Json-smart 2.4.11
JsonAssert 1.5.3
Logback 1.2.13
Lombok 1.18.42
MariaDB 2.7.13
Netty 4.1.131.Final
Netty tcNative 2.0.75.Final
Postgresql 42.2.29
RSocket 1.1.5
Reactor Bom 2020.0.47
Spring AMQP (NES) 2.3.16-spring-amqp-2.3.17
Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.13
Spring HATEOAS (NES) 1.3.7-spring-hateoas-1.3.8
Spring Kafka (NES) 2.7.14-spring-kafka-2.7.15
Spring LDAP (NES) 2.3.8-spring-ldap-2.3.9
Spring Security (NES) 5.5.8-spring-security-5.5.9
Spring Session BOM (NES) 2021.0.6-spring-session-bom-2021.0.7
Sun Mail 1.6.8
Tomcat 9.0.115
Undertow 2.2.39.Final

February 2026

3.4.15

Released Feb 25, 2026

Full Version:

3.4.13-spring-boot-3.4.15

Bug Fixes

Fixed TLSv1.3 cipher configuration being silently ignored after Tomcat 10.1.52 upgrade. Applications that configured TLSv1.3 ciphers via server.ssl.ciphers or via options.ciphers in an SSL Bundle would have those ciphers silently dropped, falling back to all default ciphers.
- See our blog post for details: Silent TLS Cipher Downgrade in Spring Boot.

Dependency Upgrades

Hibernate 6.6.42.Final
Infinispan 15.0.22.Final
JBoss Logging 3.6.2.Final
Jakarta XML Bind 4.0.5
Jetty 12.0.32
Logback 1.5.32
MySQL 9.6.0
Netty 4.1.131.Final
Postgresql 42.7.10
Reactor Bom 2024.0.15
Spring AMQP 3.2.9
Spring Framework 6.2.16
Spring Kafka 3.3.13
Spring Pulsar 1.2.15
Tomcat 10.1.52
Undertow 2.3.23.Final
jOOQ 3.19.30

3.3.17

Released Feb 25, 2026

Full Version:

3.3.13-spring-boot-3.3.17

Bug Fixes

Fixed TLSv1.3 cipher configuration being silently ignored after Tomcat 10.1.52 upgrade. Applications that configured TLSv1.3 ciphers via server.ssl.ciphers or via options.ciphers in an SSL Bundle would have those ciphers silently dropped, falling back to all default ciphers.
- See our blog post for details: Silent TLS Cipher Downgrade in Spring Boot.

Dependency Upgrades

Infinispan 15.0.22.Final
Jakarta XML Bind 4.0.5
Jetty 12.0.32
Logback 1.5.32
Neo4j Java Driver 5.28.10
Netty 4.1.131.Final
Postgresql 42.7.10
Tomcat 10.1.52
Undertow 2.3.23.Final
jOOQ 3.19.30

3.2.23

Released Feb 25, 2026

Full Version:

3.2.12-spring-boot-3.2.23

Bug Fixes

Fixed TLSv1.3 cipher configuration being silently ignored after Tomcat 10.1.52 upgrade. Applications that configured TLSv1.3 ciphers via server.ssl.ciphers or via options.ciphers in an SSL Bundle would have those ciphers silently dropped, falling back to all default ciphers.
- See our blog post for details: Silent TLS Cipher Downgrade in Spring Boot.

Dependency Upgrades

Jakarta XML Bind 4.0.5
Jetty 12.0.32
Netty 4.1.131.Final
Tomcat 10.1.52
Undertow 2.3.23.Final
jOOQ 3.18.37

2.7.35

Released Feb 25, 2026

Full Version:

2.7.18-spring-boot-2.7.35

Bug Fixes

Fixed TLSv1.3 cipher configuration being silently ignored after Tomcat 9.0.115 upgrade. Applications that configured TLSv1.3 ciphers via server.ssl.ciphers or via options.ciphers in an SSL Bundle would have those ciphers silently dropped, falling back to all default ciphers.
- See our blog post for details: Silent TLS Cipher Downgrade in Spring Boot.

Dependency Upgrades

Netty 4.1.131.Final
Undertow 2.2.39.Final

January 2026

3.4.14

Released Jan 28, 2026

Full Version:

3.4.13-spring-boot-3.4.14

Notes

This release originates from the open‑source Spring Boot repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Boot 3.4.13.

Dependency Upgrades

Spring AMQP (NES) 3.2.8-spring-amqp-3.2.9
Spring Authorization Server (NES) 1.4.8-spring-authorization-server-1.4.9
Spring Batch (NES) 5.2.4-spring-batch-5.2.5
Spring Data BOM (NES) 2024.1.13-spring-data-bom-2024.1.14
Spring HATEOAS (NES) 2.4.1-spring-hateoas-2.4.2
Spring Integration (NES) 6.4.10-spring-integration-6.4.11
Spring Kafka (NES) 3.3.11-spring-kafka-3.3.12
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.18
Spring Pulsar (NES) 1.2.13-spring-pulsar-1.2.14
Spring Security (NES) 6.4.13-spring-security-6.4.14
Spring Session (NES) 3.4.7-spring-session-3.4.8
Spring Web Services (NES) 4.0.17-spring-ws-4.0.18

3.3.16

Released Jan 28, 2026

Full Version:

3.3.13-spring-boot-3.3.16

Dependency Upgrades

Classmate 1.7.3
Groovy 4.0.30
Jaybird 5.0.11.java11
Logback 1.5.26
Pooled JMS 3.1.9
Postgresql 42.7.9
R2DBC MSSQL 1.0.4.RELEASE
Undertow 2.3.22.Final

3.2.22

Released Jan 28, 2026

Full Version:

3.2.12-spring-boot-3.2.22

Dependency Upgrades

Dropwizard Metrics 4.2.38
Groovy 4.0.30
Jaybird 5.0.11.java11
Pooled JMS 3.1.9
R2DBC MSSQL 1.0.4.RELEASE
Undertow 2.3.22.Final

2.7.34

Released Jan 28, 2026

Full Version:

2.7.18-spring-boot-2.7.34

Dependency Upgrades

Dropwizard Metrics 4.2.38
Tomcat 9.0.115

December 2025

3.3.15

Released Dec 18, 2025

Full Version:

3.3.13-spring-boot-3.3.15

Dependency Upgrades

AspectJ 1.9.25.1
Logback 1.5.22
Netty 4.1.130.Final
Pooled JMS 3.1.8
Spring GraphQL (NES) 1.3.7-spring-graphql-1.3.8
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.18
Spring WS 4.0.17
Tomcat 10.1.50

3.2.21

Released Dec 18, 2025

Full Version:

3.2.12-spring-boot-3.2.21

Dependency Upgrades

AspectJ 1.9.25.1
Jetty 12.0.31
Netty 4.1.130.Final
Pooled JMS 3.1.8
Spring LDAP (NES) 3.2.16-spring-ldap-3.2.18
Spring WS 4.0.17
Tomcat 10.1.50
jOOQ 3.18.36

2.7.33

Released Dec 18, 2025

Full Version:

2.7.18-spring-boot-2.7.33

Dependency Upgrades

Netty 4.1.130.Final
Tomcat 9.0.113

3.3.14

Released Dec 10, 2025

Full Version:

3.3.13-spring-boot-3.3.14

Notes

This release originates from the open‑source Spring Boot repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Boot 3.3.13.

Dependency Upgrades

Angus Mail 2.0.5
AspectJ 1.9.25
Classmate 1.7.1
Ehcache3 3.10.9
Glassfish JAXB 4.0.6
Groovy 4.0.29
Hibernate Validator 8.0.3.Final
Infinispan 15.0.21.Final
Jakarta Activation 2.1.4
Jakarta Mail 2.1.5
Jakarta XML Bind 4.0.4
Jaybird 5.0.10.java11
Jersey 3.1.11
Jetty Reactive HTTPClient 4.0.13
Jetty 12.0.31
Logback 1.5.21
Lombok 1.18.42
MSSQL JDBC 12.6.5.jre11
Netty 4.1.128.Final
Postgresql 42.7.8
R2DBC H2 1.0.1.RELEASE
R2DBC MSSQL 1.0.3.RELEASE
R2DBC Postgresql 1.0.9.RELEASE
RxJava3 3.1.12
Spring AMQP (NES) 3.1.12-spring-amqp-3.1.16
Spring Authorization Server (NES) 1.3.7-spring-authorization-server-1.3.8
Spring Batch (NES) 5.1.3-spring-batch-5.1.8
Spring Data BOM (NES) 2024.0.13-spring-data-bom-2024.0.14
Spring Framework (NES) 6.1.21-spring-framework-6.1.25
Spring GraphQL 1.3.6
Spring HATEOAS (NES) 2.3.4-spring-hateoas-2.3.5
Spring Integration (NES) 6.3.11-spring-integration-6.3.12
Spring Kafka (NES) 3.2.10-spring-kafka-3.2.11
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.17
Spring Pulsar (NES) 1.1.13-spring-pulsar-1.1.14
Spring RESTDocs 3.0.5
Spring Security (NES) 6.3.10-spring-security-6.3.11
Spring Session (NES) 3.3.7-spring-session-3.3.8
Spring WS 4.0.16
Tomcat 10.1.49
Undertow 2.3.20.Final
jOOQ 3.19.29Full Version: 3.3.13-spring-boot-3.3.14

November 2025

3.2.20

Released Nov 21, 2025

Full Version:

3.2.12-spring-boot-3.2.20

Dependency Upgrades

AspectJ 1.9.25
Jetty 12.0.30
Jetty Reactive HTTPClient 4.0.13
R2DBC Postgresql 1.0.9.RELEASE
Tomcat 10.1.49
jOOQ 3.18.35

2.7.32

Released Nov 21, 2025

Full Version:

2.7.18-spring-boot-2.7.32

Dependency Upgrades

Johnzon 1.2.22
Tomcat 9.0.112

October 2025

3.2.19

Released Oct 24, 2025

Full Version:

3.2.12-spring-boot-3.2.19

Dependency Upgrades

Angus Mail 2.0.5
Glassfish JAXB 4.0.6
Groovy 4.0.29
Jaybird 5.0.10.java11
Jetty 12.0.29
Jetty Reactive HTTPClient 4.0.12
MSSQL JDBC 12.4.3.jre11
Netty 4.1.128.Final
R2DBC H2 1.0.1.RELEASE
R2DBC Postgresql 1.0.8.RELEASE
RxJava3 3.1.12
Spring AMQP (NES) 3.1.12-spring-amqp-3.1.16
Spring Authorization Server (NES) 1.2.7-spring-authorization-server-1.2.11
Spring Batch (NES) 5.1.3-spring-batch-5.1.8
Spring Data Bom (NES) 2023.1.12-spring-data-bom-2023.1.15
Spring Framework (NES) 6.1.21-spring-framework-6.1.25
Spring HATEOAS (NES) 2.2.5-spring-hateoas-2.2.9
Spring Integration (NES) 6.2.11-spring-integration-6.2.17
Spring Kafka (NES) 3.1.10-spring-kafka-3.1.14
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.17
Spring Pulsar (NES) 1.0.12-spring-pulsar-1.0.16
Spring Security (NES) 6.2.8-spring-security-6.2.13
Spring Session (NES) 3.2.7-spring-session-3.2.11
Spring WS 4.0.16
Tomcat 10.1.48
Undertow 2.3.20.Final
jOOQ 3.18.34

2.7.31

Released Oct 23, 2025

Full Version:

2.7.18-spring-boot-2.7.31

Dependency Upgrades

MSSQL JDBC 10.2.4.jre8
Netty 4.1.128.Final
Spring AMQP (NES) 2.4.17-spring-amqp-2.4.24
Spring Batch (NES) 4.3.10-spring-batch-4.3.17
Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.24
Spring Framework (NES) 5.3.39-spring-framework-5.3.49
Spring GraphQL (NES) 1.0.6-spring-graphql-1.0.14
Spring HATEOAS (NES) 1.5.6-spring-hateoas-1.5.12
Spring Integration (NES) 5.5.20-spring-integration-5.5.29
Spring Kafka (NES) 2.8.11-spring-kafka-2.8.18
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.10
Spring Security (NES) 5.7.14-spring-security-5.7.22
Spring Session BOM (NES) 2021.2.3-spring-session-bom-2021.2.10
Spring Web Services (NES) 3.1.8-spring-ws-3.1.15
Tomcat 9.0.111
Undertow 2.2.38.Final

1.5.30

Released Oct 23, 2025

Full Version:

1.5.22-spring-boot-1.5.30

Dependency Upgrades

Spring Framework (NES) 4.3.30-spring-framework-4.3.36
Spring Security (NES) 4.2.20-spring-security-4.2.28
Spring Social (NES) 1.1.6-spring-social-1.1.11
Spring Social Twitter (NES) 1.1.2-spring-social-twitter-1.1.7
Spring Web Services (NES) 2.4.7-spring-ws-2.4.12

September 2025

3.2.18

Released Sep 30, 2025

Full Version:

3.2.12-spring-boot-3.2.18

Dependency Upgrades

Spring Batch (NES) 5.1.3-spring-batch-5.1.7
Spring Integration (NES) 6.2.11-spring-integration-6.2.16

2.7.30

Released Sep 30, 2025

Full Version:

2.7.18-spring-boot-2.7.30

Dependency Upgrades

Spring AMQP (NES) 2.4.17-spring-amqp-2.4.23
Spring Batch (NES) 4.3.10-spring-batch-4.3.16
Spring Integration (NES) 5.5.20-spring-integration-5.5.28
Spring Kafka (NES) 2.8.11-spring-kafka-2.8.17

3.2.17

Released Sep 23, 2025

Full Version:

3.2.12-spring-boot-3.2.17

Dependency Upgrades

Dropwizard Metrics 4.2.37
Ehcache3 3.10.9
Jakarta Activation 2.1.4
Jakarta Mail 2.1.5
Jakarta XML Bind 4.0.4
Jetty 12.0.27
jOOQ 3.18.33
Lombok 1.18.42
Netty 4.1.127.Final
R2DBC MSSQL 1.0.3.RELEASE
Spring AMQP (NES) 3.1.12-spring-amqp-3.1.15
Spring Authorization Server (NES) 1.2.7-spring-authorization-server-1.2.10
Spring Batch (NES) 5.1.3-spring-batch-5.1.6
Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.15
Spring Framework (NES) 6.1.21-spring-framework-6.1.24
Spring HATEOAS (NES) 2.2.5-spring-hateoas-2.2.8
Spring Integration (NES) 6.2.11-spring-integration-6.2.15
Spring Kafka (NES) 3.1.10-spring-kafka-3.1.13
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.16
Spring Pulsar (NES) 1.0.12-spring-pulsar-1.0.15
Spring Security (NES) 6.2.8-spring-security-6.2.12
Spring Session (NES) 3.2.7-spring-session-3.2.10
Tomcat 10.1.46
Undertow 2.3.19.Final

2.7.29

Released Sep 23, 2025

Full Version:

2.7.18-spring-boot-2.7.29

Dependency Updates

Dropwizard Metrics 4.2.37
Ehcache3 3.10.9
Lombok 1.18.42
Neo4j Java Driver 4.4.21
Netty 4.1.127.Final
Spring AMQP (NES) 2.4.17-spring-amqp-2.4.22
Spring Batch (NES) 4.3.10-spring-batch-4.3.15
Spring Data Bom (NES) 2021.2.18-spring-data-bom-2021.2.23
Spring Framework (NES) 5.3.39-spring-framework-5.3.48
Spring GraphQL (NES) 1.0.6-spring-graphql-1.0.13
Spring HATEOAS (NES) 1.5.6-spring-hateoas-1.5.11
Spring Integration (NES) 5.5.20-spring-integration-5.5.27
Spring Kafka (NES) 2.8.11-spring-kafka-2.8.16
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.9
Spring Security (NES) 5.7.14-spring-security-5.7.21
Spring Session Bom (NES) 2021.2.3-spring-session-bom-2021.2.9
Spring WS (NES) 3.1.8-spring-ws-3.1.14
Tomcat 9.0.109

August 2025

2.7.21-trial

Released Aug 26, 2025

Full Version:

2.7.18-spring-boot-2.7.21-trial

Dependency Upgrades

Spring Framework 5.3.39-spring-framework-5.3.42-trial

3.2.16

Released Aug 25, 2025

Full Version:

3.2.12-spring-boot-3.2.16

Dependency Updates

Angus Mail 2.0.4
Groovy 4.0.28
Hibernate Validator 8.0.3.Final
Infinispan 14.0.35.Final
Jaybird 5.0.9.java11
Jersey 3.1.11
Jetty 12.0.24
Jetty Reactive HTTPClient 4.0.11
jOOQ 3.18.32
Netty 4.1.123.Final
RxJava3 3.1.11
Spring AMQP (NES) 3.1.12-spring-amqp-3.1.14
Spring Authorization Server (NES) 1.2.7-spring-authorization-server-1.2.9
Spring Batch (NES) 5.1.3-spring-batch-5.1.5
Spring Data Bom 202(NES) 3.1.12-spring-data-bom-2023.1.14
Spring Framework (NES) 6.1.21-spring-framework-6.1.23
Spring GraphQL (NES) 1.2.9-spring-graphql-1.2.11
Spring HATEOAS (NES) 2.2.5-spring-hateoas-2.2.7
Spring Integration (NES) 6.2.11-spring-integration-6.2.13
Spring Kafka (NES) 3.1.10-spring-kafka-3.1.12
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.15
Spring Pulsar (NES) 1.0.12-spring-pulsar-1.0.14
Spring RESTDocs 3.0.5
Spring Security (NES) 6.2.8-spring-security-6.2.11
Spring Session (NES) 3.2.7-spring-session-3.2.9
Tomcat 10.1.44

2.7.28

Released Aug 25, 2025

Full Version:

2.7.18-spring-boot-2.7.28

Dependency Updates

Jakarta Mail 1.6.8
Jetty 9.4.58.v20250814
Jetty EL 9.0.107
Jetty Reactive HTTPClient 1.1.19
Netty 4.1.124.Final
Spring AMQP (NES) 2.4.17-spring-amqp-2.4.21
Spring Batch (NES) 4.3.10-spring-batch-4.3.14
Spring Data Bom (NES) 2021.2.18-spring-data-bom-2021.2.22
Spring Framework (NES) 5.3.39-spring-framework-5.3.47
Spring GraphQL (NES) 1.0.6-spring-graphql-1.0.12
Spring HATEOAS (NES) 1.5.6-spring-hateoas-1.5.10
Spring Integration (NES) 5.5.20-spring-integration-5.5.26
Spring Kafka (NES) 2.8.11-spring-kafka-2.8.15
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.8
Spring Retry (NES) 1.3.4-spring-retry-1.3.8
Spring Security (NES) 5.7.14-spring-security-5.7.20
Spring Session Bom (NES) 2021.2.3-spring-session-bom-2021.2.8
Spring WS (NES) 3.1.8-spring-ws-3.1.13
Sun Mail 1.6.8
Tomcat 9.0.108

1.5.29

Released Aug 25, 2025

Full Version:

1.5.22-spring-boot-1.5.29

Dependency Upgrades

Spring Framework (NES) 4.3.30-spring-framework-4.3.35
Spring Security (NES) 4.2.20-spring-security-4.2.27
Spring Social (NES) 1.1.6-spring-social-1.1.10
Spring Social Twitter (NES) 1.1.2-spring-social-twitter-1.1.6
Spring WS (NES) 2.4.7-spring-ws-2.4.11

July 2025

3.2.15

Released Jul 15, 2025

Full Version:

3.2.12-spring-boot-3.2.15

Dependency Upgrades

Dropwizard Metrics 4.2.33
Jaybird 5.0.8.java11
Jetty 12.0.23
jOOQ 3.18.31
Netty 4.1.122.Final
Reactor Bom 2023.0.19
Spring AMQP (NES) 3.1.12-spring-amqp-3.1.13
Spring Authorization Server (NES) 1.2.7-spring-authorization-server-1.2.8
Spring Batch (NES) 5.1.3-spring-batch-5.1.4
Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.13
Spring Framework (NES) 6.1.21-spring-framework-6.1.22
Spring GraphQL (NES) 1.2.9-spring-graphql-1.2.10
Spring HATEOAS (NES) 2.2.5-spring-hateoas-2.2.6
Spring Kafka (NES) 3.1.10-spring-kafka-3.1.11
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.14
Spring Pulsar (NES) 1.0.12-spring-pulsar-1.0.13
Spring RESTDocs 3.0.4
Spring Security (NES) 6.2.8-spring-security-6.2.10
Spring Session (NES) 3.2.7-spring-session-3.2.8
Spring WS 4.0.15
Tomcat 10.1.42

June 2025

2.7.27

Released Jun 24, 2025

Full Version:

2.7.18-spring-boot-2.7.27

Dependency Upgrades

Dropwizard Metrics 4.2.33
Elasticsearch 7.17.29
Groovy 3.0.25
Jetty EL 9.0.105
Netty 4.1.122.Final
Tomcat 9.0.106

May 2025

3.2.14

Released May 29, 2025

Full Version:

3.2.12-spring-boot-3.2.14

Dependency Upgrades

Dropwizard Metrics 4.2.32
Groovy 4.0.27
Jetty Reactive HTTPClient 4.0.10
Spring Framework 6.1.20
Spring Retry 2.0.12
Spring WS 4.0.14

3.2.13

Released May 27, 2025

CVE-2025-22235

Full Version:

3.2.12-spring-boot-3.2.13

Bug Fixes

Patched a bug where an incorrect matcher is generated by Spring Boot Actuator's EndpointRequest.to() when the Actuator endpoint is not exposed. (CVE-2025-22235).
- org.springframework.boot:spring-boot-actuator-autoconfigure:3.2.12-spring-boot-3.2.13

Notes

This release originates from the open‑source Spring Boot repository forked by HeroDevs. This release contains no functional changes from Spring Boot 3.2.12.

Dependency Upgrades

ActiveMQ 5.18.7
AspectJ 1.9.24
Commons Pool2 2.12.1
Dependency Management Plugin 1.1.7
Dropwizard Metrics 4.2.30
FreeMarker 2.3.34
Groovy 4.0.26
Hibernate Validator 8.0.2.Final
Infinispan 14.0.34.Final
Jaybird 5.0.7.java11
Jersey 3.1.10
Jetty 12.0.21
Jetty Reactive HTTPClient 4.0.9
jOOQ 3.18.30
Json-smart 2.5.2
Lombok 1.18.38
MariaDB 3.3.4
Maven Deploy Plugin 3.1.4
Maven Install Plugin 3.1.4
Netty 4.1.121.Final
Pulsar Reactive 0.5.10
R2DBC Proxy 1.1.6.RELEASE
Reactor Bom 2023.0.18
RSocket 1.1.5
RxJava3 3.1.10
SLF4J 2.0.17
Spring AMQP 3.1.11
Spring Batch 5.1.3
Spring Framework 6.1.19
Spring Integration (NES) 6.2.11-spring-integration-6.2.12
Spring LDAP 3.2.12
Spring Retry 2.0.11
Spring Security (NES) 6.2.8-spring-security-6.2.9
Spring Session 3.2.7
Spring WS 4.0.13
Thymeleaf 3.1.3.RELEASE
Thymeleaf Extras SpringSecurity 3.1.3.RELEASE
Tomcat 10.1.41Full Version: 3.2.12-spring-boot-3.2.13

2.7.26

Released May 22, 2025

Full Version:

2.7.18-spring-boot-2.7.26

Dependency Upgrades

Spring AMQP (NES) 2.4.17-spring-amqp-2.4.20
Spring Batch (NES) 4.3.10-spring-batch-4.3.13
Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.21
Spring Framework (NES) 5.3.40-spring-framework-5.3.46
Spring GraphQL (NES) 1.0.6-spring-graphql-1.0.11
Spring HATEOAS (NES) 1.5.6-spring-hateoas-1.5.9
Spring Integration (NES) 5.5.20-spring-integration-5.5.25
Spring Kafka (NES) 2.8.11-spring-kafka-2.8.14
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.7
Spring Retry (NES) 1.3.4-spring-retry-1.3.7
Spring Security (NES) 5.7.14-spring-security-5.7.19
Spring Session BOM (NES) 2021.2.3-spring-session-bom-2021.2.7
Spring WS (NES) 3.1.8-spring-ws-3.1.12

1.5.28

Released May 22, 2025

Full Version:

1.5.22-spring-boot-1.5.28

Dependency Upgrades

Spring Framework (NES) 4.3.30-spring-framework-4.3.34
Spring Security (NES) 4.2.20-spring-security-4.2.26
Spring Social (NES) 1.1.6-spring-social-1.1.9
Spring Social Twitter (NES) 1.1.2-spring-social-twitter-1.1.5
Spring WS (NES) 2.4.7-spring-ws-2.4.10

April 2025

1.5.27

Released Apr 30, 2025

Full Version:

1.5.22-spring-boot-1.5.27

Dependency Upgrades

Spring Security (NES) 4.2.20-spring-security-4.2.25

2.7.25

Released Apr 25, 2025

CVE-2025-22235

Full Version:

2.7.18-spring-boot-2.7.25

Bug Fixes

This patches a bug where an incorrect matcher is generated by Spring Boot Actuator's EndpointRequest.to() when the Actuator endpoint is not exposed. (CVE-2025-22235).
- org.springframework.boot/spring-boot-actuator-autoconfigure:2.7.18-spring-boot-2.7.25

Dependency Upgrades

Tomcat 9.0.104

2.7.24

Released Apr 23, 2025

Full Version:

2.7.18-spring-boot-2.7.24

Dependency Upgrades

Spring GraphQL (NES) 1.0.6-spring-graphql-1.0.10
Spring Integration (NES) 5.5.20-spring-integration-5.5.24
Spring Security (NES) 5.7.14-spring-security-5.7.18
Spring Session BOM (NES) 2021.2.3-spring-session-bom-2021.2.6
ActiveMQ 5.16.8
Jetty EL 9.0.102
Lombok 1.18.38
Netty 4.1.120.Final

March 2025

2.7.23

Released Mar 20, 2025

Full Version:

2.7.18-spring-boot-2.7.23

Dependency Upgrades

Spring GraphQL (NES) 1.0.6-spring-graphql-1.0.9
Spring Integration (NES) 5.5.20-spring-integration-5.5.23
Spring Security (NES) 5.7.14-spring-security-5.7.17
Spring Session BOM (NES) 2021.2.3-spring-session-bom-2021.2.5
Tomcat 9.0.102

1.5.26

Released Mar 20, 2025

Full Version:

1.5.22-spring-boot-1.5.26

Dependency Upgrades

Spring Security (NES) 4.2.20-spring-security-4.2.24

2.7.22

Released Mar 4, 2025

Full Version:

2.7.18-spring-boot-2.7.22

Dependency Upgrades

Spring Kafka (NES) 2.8.11-spring-kafka-2.8.13
Dropwizard Metrics 4.2.30
Elasticsearch 7.17.28
Groovy 3.0.24
Jetty EL 9.0.96
Jetty 9.4.57.v20241219
Neo4j Java Driver 4.4.20
Netty 4.1.119.Final
RSocket 1.1.5
Tomcat 9.0.100

February 2025

2.7.21

Released Feb 24, 2025

Full Version:

2.7.18-spring-boot-2.7.21

Notes

Publish Spring Boot under the org.springframework.boot group ID instead of com.herodevs.nes.springframework.boot.

Dependency Upgrades

Spring AMQP (NES) 2.4.17-spring-amqp-2.4.19
Spring Batch (NES) 4.3.10-spring-batch-4.3.12
Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.20
Spring Framework (NES) 5.3.39-spring-framework-5.3.45
Spring GraphQL (NES) 1.0.6-spring-graphql-1.0.8
Spring HATEOAS (NES) 1.5.6-spring-hateoas-1.5.8
Spring Integration (NES) 5.5.20-spring-integration-5.5.22
Spring Kafka (NES) 2.8.11-spring-kafka-2.8.12
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.6
Spring Retry (NES) 1.3.4-spring-retry-1.3.6
Spring Session BOM (NES) 2021.2.3-spring-session-bom-2021.2.4
Spring WS (NES) 3.1.8-spring-ws-3.1.10
Awaitility 4.2.2
Dropwizard Metrics 4.2.29
Elasticsearch 7.17.26
FreeMarker 2.3.34
Groovy 3.0.23
Infinispan 13.0.22.Final
Janino 3.1.12
Jaybird 4.0.10.java8
Jetty 9.4.56.v20240826
Jetty EL 9.0.90
Jetty Reactive HTTPClient 1.1.18
JsonAssert 1.5.3
Logback 1.2.13
Lombok 1.18.36
Neo4j Java Driver 4.4.19
Netty 4.1.116.Final
Pooled JMS 1.2.8
Postgresql 42.3.10
Rabbit AMQP Client: 5.24.0
Reactor Bom 2020.0.47
SnakeYAML: 1.33
Solr 8.11.4
Tomcat 9.0.98
UnboundID LDAPSDK 6.0.11
Undertow 2.2.37.Final

1.5.25

Released Feb 24, 2025

Full Version:

1.5.22-spring-boot-1.5.25

Notes

Publish Spring Boot under the org.springframework.boot group ID instead of com.herodevs.nes.springframework.boot.

Dependency Upgrades

Spring Amqp 1.7.15.RELEASE
Spring Framework (NES): 4.3.30-spring-framework-4.3.33
Spring Integration 4.3.24.RELEASE
Spring Ldap 2.3.8.RELEASE
Spring Retry 1.2.5.RELEASE
Spring Security (NES): 4.2.20-spring-security-4.2.23
Spring Security Jwt 1.0.11.RELEASE
Spring Security Oauth: 2.0.19.RELEASE
Spring Social (NES): 1.1.6-spring-social-1.1.8
Spring Social Twitter (NES): 1.1.2-spring-social-twitter-1.1.4
Spring WS (NES): 2.4.7-spring-ws-2.4.9
Appengine Sdk 1.9.98
Commons Beanutils 1.9.4
Freemarker 2.3.34
Groovy 2.4.21
Gson 2.8.9
Httpasyncclient 4.1.5
Httpclient 4.5.14
Httpcore 4.4.16
Infinispan 8.2.12.Final
Jackson 2.8.11.20200310
Jboss Logging 3.3.3.Final
Jboss Transaction Spi 7.6.1.Final
Jdom2 2.0.6.1
Mssql Jdbc 6.1.0.jre8
Mysql 5.1.49
Slf4j 1.7.36
Tomcat 8.5.98
Undertow 1.4.28.Final

December 2024

1.5.24

Released Dec 18, 2024

CVE-2022-27772

CVE-2023-20883

Full Version:

1.5.22-spring-boot-1.5.24

Bug Fixes

This release patches the following:
- Temporary Directory Hijacking to Local Privilege Escalation Vulnerability (CVE-2022-27772).
  - com.herodevs.nes.springframework.boot:spring-boot:1.5.22-spring-boot-1.5.24
- Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883).
  - com.herodevs.nes.springframework.boot:spring-boot-autoconfigure:1.5.22-spring-boot-1.5.24
  - com.herodevs.nes.springframework.boot:spring-boot-test-autoconfigure:1.5.22-spring-boot-1.5.24

Notes

This release updates Spring Framework to NES version 4.3.32 and Spring Security NES to NES version 4.2.22.

November 2024

1.5.23

Released Nov 27, 2024

Full Version:

1.5.22-spring-boot-1.5.23

Notes

This is the initial release of Spring Boot 1.5.22 from the open‑source Spring Boot repository forked by HeroDevs.
This release contains no functional changes from Spring Boot 1.5.22. Full Version: 1.5.22-spring-boot-1.5.23

September 2024

2.7.20

Released Sep 25, 2024

CVE-2024-38807

Full Version:

2.7.18-spring-boot-2.7.20

Bug Fixes

Addresses issue in Spring Boot Jar loader to detect signature mismatch of nested jar files.
- This patches the signature forgery vulnerability in Spring Boot's jar loader (CVE-2024-38807).
- This fix is included in NES for Spring Boot version 2.7.18-spring-boot-2.7.20 in the following artifacts:
  - com.herodevs.nes.springframework.boot:spring-boot-loader:2.7.18-spring-boot-2.7.20

August 2024

2.7.19

Released Aug 26, 2024

Full Version:

2.7.18-spring-boot-2.7.19

Notes

This release originates from the open‑source Spring Boot repository forked by HeroDevs. This release updates Spring Framework to NES version 5.3.40 and Spring Security NES version 5.7.13.
The original Spring Boot 2.7.18 version included the following versions:
- Spring Framework 5.3.31
- Spring Security 5.7.11
With the upgrade to our NES versions of Spring Framework 5.3.40 and Spring Security 5.7.13, these include the following changes from both Spring Framework and Spring Security projects. The release notes for those releases are listed below for reference:
- Spring Framework:
- Spring Security:
  - 5.7.12
Includes other modifications implemented by HeroDevs to ensure successful library builds.
This release contains no functional changes from Spring Boot 2.7.18. Full Version: 2.7.18-spring-boot-2.7.19

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team