Spring Boot 2.5.x Release Notes

Bug Fixes

• DevTools secret comparison hardened to be timing-safe (CVE-2026-40972).
• ApplicationTemp directory ownership and symlink handling hardened (CVE-2026-40973).
• Cassandra TLS hostname verification (CVE-2026-40974).
• random.value property source switched from a weak PRNG to SecureRandom (CVE-2026-40975).
• PID file writes use NOFOLLOW_LINKS to prevent symlink redirection (CVE-2026-40977).
• Actuator HTTP method tag cardinality bounded so unrecognized methods collapse to method=UNKNOWN (CVE-2023-34055).

Dependency Upgrades

• Spring AMQP (NES) 2.3.16-spring-amqp-2.3.19
• Spring Batch (NES) 4.3.10-spring-batch-4.3.19
• Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.15
• Spring Framework (NES) 5.3.39-spring-framework-5.3.51
• Spring HATEOAS (NES) 1.3.7-spring-hateoas-1.3.10
• Spring Integration (NES) 5.5.20-spring-integration-5.5.31
• Spring Kafka (NES) 2.7.14-spring-kafka-2.7.17
• Spring LDAP (NES) 2.3.8-spring-ldap-2.3.11
• Spring Retry (NES) 1.3.4-spring-retry-1.3.11
• Spring Security (NES) 5.5.8-spring-security-5.5.11
• Spring Session BOM (NES) 2021.0.6-spring-session-bom-2021.0.9
• Spring Web Services (NES) 3.1.8-spring-ws-3.1.17

Bug Fixes

• Patched Authentication Bypass under Actuator CloudFoundry endpoints vulnerability (CVE-2026-22733).

Dependency Upgrades

• Spring AMQP (NES) 2.3.16-spring-amqp-2.3.18
• Spring Batch (NES) 4.3.10-spring-batch-4.3.18
• Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.14
• Spring Framework (NES) 5.3.39-spring-framework-5.3.50
• Spring HATEOAS (NES) 1.3.7-spring-hateoas-1.3.9
• Spring Integration (NES) 5.5.20-spring-integration-5.5.30
• Spring Kafka (NES) 2.7.14-spring-kafka-2.7.16
• Spring LDAP (NES) 2.3.8-spring-ldap-2.3.10
• Spring REST Docs (NES) 2.0.8-spring-restdocs-2.0.10
• Spring Retry (NES) 1.3.4-spring-retry-1.3.10
• Spring Security (NES) 5.5.8-spring-security-5.5.10
• Spring Session BOM (NES) 2021.0.6-spring-session-bom-2021.0.8
• Spring Web Services (NES) 3.1.8-spring-ws-3.1.16

Bug Fixes

• Incorrect matcher generated by Actuator's EndpointRequest.to() when the endpoint is not exposed (CVE-2025-22235).
• Signature forgery vulnerability in Spring Boot's jar loader (CVE-2024-38807).
• Fixed TLSv1.3 cipher configuration being silently ignored after Tomcat 9.0.115 upgrade. Applications that configured TLSv1.3 ciphers via server.ssl.ciphers or via options.ciphers in an SSL Bundle would have those ciphers silently dropped, falling back to all default ciphers.
  • See our blog post for details: Silent TLS Cipher Downgrade in Spring Boot.

Notes

• This release originates from the open‑source Spring Boot repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Boot 2.5.15.

Dependency Upgrades

• ActiveMQ 5.16.8
• DB2 JDBC 11.5.9.0
• FreeMarker 2.3.34
• Glassfish JAXB 2.3.9
• Groovy 3.0.25
• Infinispan 12.1.16.Final
• Jackson Bom 2.12.7.20240502
• Jakarta Mail 1.6.8
• Janino 3.1.12
• Jaybird 4.0.10.java8
• Jetty EL 9.0.107
• Jetty Reactive HTTPClient 1.1.19
• Jetty 9.4.58.v20250814
• Johnzon 1.2.22
• Json-smart 2.4.11
• JsonAssert 1.5.3
• Logback 1.2.13
• Lombok 1.18.42
• MariaDB 2.7.13
• Netty 4.1.131.Final
• Netty tcNative 2.0.75.Final
• Postgresql 42.2.29
• RSocket 1.1.5
• Reactor Bom 2020.0.47
• Spring AMQP (NES) 2.3.16-spring-amqp-2.3.17
• Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.13
• Spring HATEOAS (NES) 1.3.7-spring-hateoas-1.3.8
• Spring Kafka (NES) 2.7.14-spring-kafka-2.7.15
• Spring LDAP (NES) 2.3.8-spring-ldap-2.3.9
• Spring Security (NES) 5.5.8-spring-security-5.5.9
• Spring Session BOM (NES) 2021.0.6-spring-session-bom-2021.0.7
• Sun Mail 1.6.8
• Tomcat 9.0.115
• Undertow 2.2.39.Final