Visit NES for Spring Home Page
Spring Framework Release Notes
24 versions
Comprehensive release notes and changelog for Spring Framework, detailing HeroDevs-provided security patches across all supported versions.
March 2026
6.1.26
Released Mar 23, 2026 Full Version:
6.1.21-spring-framework-6.1.26
Bug Fixes
- SSE content spoofing via unvalidated
idandeventfield values inSseEmitterandServerSentEvent(CVE-2026-22735). - Path traversal via unvalidated template location in
ScriptTemplateView(CVE-2026-22737).
5.3.50
Released Mar 23, 2026 Full Version:
5.3.39-spring-framework-5.3.50
Bug Fixes
- SSE content spoofing via unvalidated
idandeventfield values inSseEmitterandServerSentEvent(CVE-2026-22735). - Path traversal via unvalidated template location in
ScriptTemplateView(CVE-2026-22737).
4.3.37
Released Mar 23, 2026 Full Version:
4.3.30-spring-framework-4.3.37
Bug Fixes
- SSE content spoofing via unvalidated
idandeventfield values inSseEmitter(CVE-2026-22735). - Path traversal via unvalidated template location in
ScriptTemplateView(CVE-2026-22737).
October 2025
4.3.36
Released Oct 21, 2025 Full Version:
4.3.30-spring-framework-4.3.36
Bug Fixes
- This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).
6.1.25
Released Oct 17, 2025 Full Version:
6.1.21-spring-framework-6.1.25
Bug Fixes
- This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).
5.3.49
Released Oct 17, 2025 Full Version:
5.3.39-spring-framework-5.3.49
Bug Fixes
- This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).
September 2025
6.1.24
Released Sep 16, 2025 Full Version:
6.1.21-spring-framework-6.1.24
Bug Fixes
- This patches the Spring Framework annotation detection vulnerability (CVE-2025-41249).
5.3.48
Released Sep 16, 2025 Full Version:
5.3.39-spring-framework-5.3.48
Bug Fixes
- This patches the Spring Framework annotation detection vulnerability (CVE-2025-41249).
August 2025
5.3.42-trial
Released Aug 26, 2025 Full Version:
5.3.39-spring-framework-5.3.42-trial
Notes
- Add
org.springframework:spring-web:jar:no-remoting:5.3.39-spring-framework-5.3.42-trialfor demonstration purposes only.
6.1.23
Released Aug 15, 2025 Full Version:
6.1.21-spring-framework-6.1.23
Bug Fixes
- Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.
- This addresses CVE-2025-41242.
Dependency Upgrades
- Aspectj
1.9.24 - AssertJ
3.27.4
5.3.47
Released Aug 15, 2025 Full Version:
5.3.39-spring-framework-5.3.47
Bug Fixes
- Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.
- This addresses CVE-2025-41242.
- Added a
no-remotingvariant of thespring-webartifact to remove HTTP Invoker remoting support.- This addresses CVE-2016-1000027.
- See the documentation for more information on using the
no-remotingvariant.
4.3.35
Released Aug 15, 2025 Full Version:
4.3.30-spring-framework-4.3.35
Bug Fixes
- Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.
- This addresses CVE-2025-41242.
July 2025
6.1.22
Released Jul 11, 2025 Full Version:
6.1.21-spring-framework-6.1.22
Notes
- This release originates from the open‑source Spring Framework repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Framework
6.1.21. Full Version:6.1.21-spring-framework-6.1.22
May 2025
5.3.46
Released May 15, 2025 Full Version:
5.3.39-spring-framework-5.3.46
Bug Fixes
- Fixed an additional vulnerability with DataBinder's
disallowedFieldsrelated to case insensitivity.- This addresses CVE-2025-22233.
4.3.34
Released May 15, 2025 Full Version:
4.3.30-spring-framework-4.3.34
Bug Fixes
- Fixed an additional vulnerability with DataBinder's
disallowedFieldsrelated to case insensitivity.- This addresses CVE-2025-22233.
February 2025
December 2024
4.3.32
Released Dec 18, 2024 Full Version:
4.3.30-spring-framework-4.3.32
Bug Fixes
- This release patches the following:
- Spring Expression DoS Vulnerability (CVE-2022-22950).
com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
- Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965).
com.herodevs.nes.springframework:spring-beans:4.3.30-spring-framework-4.3.32com.herodevs.nes.springframework:spring-webmvc:4.3.30-spring-framework-4.3.32
- Spring Framework DoS via Data Binding to MultipartFile or Servlet Part (CVE-2022-22970).
com.herodevs.nes.springframework:spring-beans:4.3.30-spring-framework-4.3.32
- Spring Framework DoS with STOMP over WebSocket (CVE-2022-22971).
com.herodevs.nes.springframework:spring-messaging:4.3.30-spring-framework-4.3.32
- Spring Expression DoS Vulnerability (CVE-2023-20861).
com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
- Spring Expression DoS Vulnerability (CVE-2023-20863).
com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
- Spring Framework URL Parsing with Host Validation (CVE-2024-22243).
com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Spring Framework URL Parsing with Host Validation (CVE-2024-22259).
com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Spring Framework URL Parsing with Host Validation (CVE-2024-22262).
com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Improper handling of case sensitivity (CVE-2022-22968).
com.herodevs.nes.springframework:spring-context:4.3.30-spring-framework-4.3.32com.herodevs.nes.springframework:spring-webmvc:4.3.30-spring-framework-4.3.32
- Spring Expression DoS Vulnerability (CVE-2024-38808).
com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
- Spring Framework DoS via conditional HTTP request (CVE-2024-38809).
com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Spring Framework DataBinder Case Sensitive Match Exception (CVE-2024-38820).
com.herodevs.nes.springframework:spring-context:4.3.30-spring-framework-4.3.32
- DoS via Spring MVC controller method with byte parameter (CVE-2024-38828).
com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Pivotal Spring Framework contains unsafe Java deserialization methods (CVE-2016-1000027).
com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Spring Expression DoS Vulnerability (CVE-2022-22950).
November 2024
4.3.31
Released Nov 18, 2024 Full Version:
4.3.30-spring-framework-4.3.31
Notes
- This is the initial release of Spring Framework 4.3.30 from the open‑source Spring Framework repository forked by HeroDevs.
- This release contains no functional changes from Spring Framework
4.3.30. Full Version:4.3.30-spring-framework-4.3.31
5.3.44
Released Nov 15, 2024 Full Version:
5.3.39-spring-framework-5.3.44
Bug Fixes
- Fixes to core and web packages to address DoS issue.
- This patches DoS via Spring MVC controller method with byte parameter (CVE-2024-38828).
- This fix is included in NES for Spring Framework version
5.3.39-spring-framework-5.3.44in the following artifacts:com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.44com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.44
October 2024
5.3.43
Released Oct 30, 2024 Full Version:
5.3.39-spring-framework-5.3.43
Bug Fixes
- Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
- This patches a variation of the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38819).
- This fix is included in NES for Spring Framework version
5.3.39-spring-framework-5.3.43in the following artifacts:com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.43com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.43
5.3.42
Released Oct 24, 2024 Full Version:
5.3.39-spring-framework-5.3.42
Bug Fixes
- Fixed an issue with DataBinder's
disallowedFieldsrelated to case insensitivity.- This update addresses the Spring Framework DataBinder Case Sensitive Match Exception (CVE-2024-38820).
- This fix is included in NES for Spring Framework version
5.3.39-spring-framework-5.3.42in the following artifacts:com.herodevs.nes.springframework:spring-context:5.3.39-spring-framework-5.3.42com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.42com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.42com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.42com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.42com.herodevs.nes.springframework:spring-websocket:5.3.39-spring-framework-5.3.42
September 2024
5.3.41
Released Sep 19, 2024 Full Version:
5.3.39-spring-framework-5.3.41
Bug Fixes
- Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
- This patches the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38816).
- This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.41 in the following artifacts:
com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.41com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.41
August 2024
5.3.40
Released Aug 26, 2024 Full Version:
5.3.39-spring-framework-5.3.40
Notes
- This release originates from the open‑source Spring Framework repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Framework
5.3.39. Full Version:5.3.39-spring-framework-5.3.40
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh