HeroDevs

Spring Data Geode 2.5.x Release Notes

1 version

Comprehensive release notes and changelog for Spring Data Geode 2.5.x, including security patches, bug fixes, and feature updates across all supported versions.

May 13, 2026

Latest: 2.5.13

6 Patched Vulnerabilities

VEX Statements

May 2026

2.5.13

Released May 13, 2026

Snapshot Service Configuration

CVE-2026-2817

CVE-2026-2818

Full Version:

2.5.12-spring-data-geode-2.5.13

Bug Fixes

Snapshot archive extraction hardened to use a randomized, owner-only temporary directory with automatic cleanup, and added a new extractionDirectory property on SnapshotServiceFactoryBean so deployments can pin extraction to a pre-secured path. See Snapshot Service Configuration for the supported configurations (CVE-2026-2817).
Snapshot archive entry names sanitized for both / and \ separators, with a canonical-path containment guard, to prevent zip-slip path traversal during snapshot import on Windows (CVE-2026-2818).

Notes

This release originates from the open‑source Spring Data Geode repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Data Geode 2.5.12.

Dependency Upgrades

Spring Data Build (NES) 2.5.12-spring-data-build-2.5.15
Spring Data Commons (NES) 2.5.12-spring-data-commons-2.5.15

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team