Spring Boot 2.5.x Release Notes

Bug Fixes

• Incorrect matcher generated by Actuator's EndpointRequest.to() when the endpoint is not exposed (CVE-2025-22235).
• Signature forgery vulnerability in Spring Boot's jar loader (CVE-2024-38807).
• Fixed TLSv1.3 cipher configuration being silently ignored after Tomcat 9.0.115 upgrade. Applications that configured TLSv1.3 ciphers via server.ssl.ciphers or via options.ciphers in an SSL Bundle would have those ciphers silently dropped, falling back to all default ciphers.
  • See our blog post for details: Silent TLS Cipher Downgrade in Spring Boot.

Notes

• This release originates from the open‑source Spring Boot repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Boot 2.5.15.

Dependency Upgrades

• ActiveMQ 5.16.8
• DB2 JDBC 11.5.9.0
• FreeMarker 2.3.34
• Glassfish JAXB 2.3.9
• Groovy 3.0.25
• Infinispan 12.1.16.Final
• Jackson Bom 2.12.7.20240502
• Jakarta Mail 1.6.8
• Janino 3.1.12
• Jaybird 4.0.10.java8
• Jetty EL 9.0.107
• Jetty Reactive HTTPClient 1.1.19
• Jetty 9.4.58.v20250814
• Johnzon 1.2.22
• Json-smart 2.4.11
• JsonAssert 1.5.3
• Logback 1.2.13
• Lombok 1.18.42
• MariaDB 2.7.13
• Netty 4.1.131.Final
• Netty tcNative 2.0.75.Final
• Postgresql 42.2.29
• RSocket 1.1.5
• Reactor Bom 2020.0.47
• Spring AMQP (NES) 2.3.16-spring-amqp-2.3.17
• Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.13
• Spring HATEOAS (NES) 1.3.7-spring-hateoas-1.3.8
• Spring Kafka (NES) 2.7.14-spring-kafka-2.7.15
• Spring LDAP (NES) 2.3.8-spring-ldap-2.3.9
• Spring Security (NES) 5.5.8-spring-security-5.5.9
• Spring Session BOM (NES) 2021.0.6-spring-session-bom-2021.0.7
• Sun Mail 1.6.8
• Tomcat 9.0.115
• Undertow 2.2.39.Final