HeroDevs
Visit NES for Spring Home Page

Spring Framework Release Notes

21 versions

Industry-standard Java framework providing the foundation for modern enterprise application development.

Oct 21, 2025
Latest: 4.3.36
29 Patched CVEs

October 2025

4.3.36

Released on Oct 21, 2025
CVE-2025-41254
Full Version: 
4.3.30-spring-framework-4.3.36

Bug Fixes

  • This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).

6.1.25

Released on Oct 17, 2025
CVE-2025-41254
Full Version: 
6.1.21-spring-framework-6.1.25

Bug Fixes

  • This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).

5.3.49

Released on Oct 17, 2025
CVE-2025-41254
Full Version: 
5.3.39-spring-framework-5.3.49

Bug Fixes

  • This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).

September 2025

6.1.24

Released on Sep 16, 2025
CVE-2025-41249
Full Version: 
6.1.21-spring-framework-6.1.24

Bug Fixes

  • This patches the Spring Framework annotation detection vulnerability (CVE-2025-41249).

5.3.48

Released on Sep 16, 2025
CVE-2025-41249
Full Version: 
5.3.39-spring-framework-5.3.48

Bug Fixes

  • This patches the Spring Framework annotation detection vulnerability (CVE-2025-41249).

August 2025

5.3.42-trial

Released on Aug 26, 2025
Full Version: 
5.3.39-spring-framework-5.3.42-trial

Notes

  • Add org.springframework:spring-web:jar:no-remoting:5.3.39-spring-framework-5.3.42-trial for demonstration purposes only.

6.1.23

Released on Aug 15, 2025
CVE-2025-41242
Full Version: 
6.1.21-spring-framework-6.1.23

Bug Fixes

  • Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.

Dependency Upgrades

  • Aspectj 1.9.24
  • AssertJ 3.27.4

5.3.47

Released on Aug 15, 2025
CVE-2025-41242
Full Version: 
5.3.39-spring-framework-5.3.47

Bug Fixes

  • Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.

4.3.35

Released on Aug 15, 2025
CVE-2025-41242
Full Version: 
4.3.30-spring-framework-4.3.35

Bug Fixes

  • Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.

July 2025

6.1.22

Released on Jul 11, 2025
Full Version: 
6.1.21-spring-framework-6.1.22

Notes

  • This release originates from the open‑source Spring Framework repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Framework 6.1.21.

May 2025

5.3.46

Released on May 15, 2025
CVE-2025-22233
Full Version: 
5.3.39-spring-framework-5.3.46

Bug Fixes

  • Fixed an additional vulnerability with DataBinder's disallowedFields related to case insensitivity.

4.3.34

Released on May 15, 2025
CVE-2025-22233
Full Version: 
4.3.30-spring-framework-4.3.34

Bug Fixes

  • Fixed an additional vulnerability with DataBinder's disallowedFields related to case insensitivity.

February 2025

5.3.45

Released on Feb 24, 2025
Full Version: 
5.3.39-spring-framework-5.3.45

Notes

  • Publish Spring Framework under the org.springframework group ID instead of com.herodevs.nes.springframework

4.3.33

Released on Feb 24, 2025
Full Version: 
4.3.30-spring-framework-4.3.33

Notes

  • Publish Spring Framework under the org.springframework group ID instead of com.herodevs.nes.springframework

December 2024

4.3.32

Released on Dec 18, 2024
CVE-2022-22950
CVE-2022-22965
CVE-2022-22970
CVE-2022-22971
CVE-2023-20861
10 More
Full Version: 
4.3.30-spring-framework-4.3.32

Bug Fixes

  • This release patches the following:
    • Spring Expression DoS Vulnerability (CVE-2022-22950).
      • com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
    • Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965).
      • com.herodevs.nes.springframework:spring-beans:4.3.30-spring-framework-4.3.32
      • com.herodevs.nes.springframework:spring-webmvc:4.3.30-spring-framework-4.3.32
    • Spring Framework DoS via Data Binding to MultipartFile or Servlet Part (CVE-2022-22970).
      • com.herodevs.nes.springframework:spring-beans:4.3.30-spring-framework-4.3.32
    • Spring Framework DoS with STOMP over WebSocket (CVE-2022-22971).
      • com.herodevs.nes.springframework:spring-messaging:4.3.30-spring-framework-4.3.32
    • Spring Expression DoS Vulnerability (CVE-2023-20861).
      • com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
    • Spring Expression DoS Vulnerability (CVE-2023-20863).
      • com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
    • Spring Framework URL Parsing with Host Validation (CVE-2024-22243).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Spring Framework URL Parsing with Host Validation (CVE-2024-22259).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Spring Framework URL Parsing with Host Validation (CVE-2024-22262).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Improper handling of case sensitivity (CVE-2022-22968).
      • com.herodevs.nes.springframework:spring-context:4.3.30-spring-framework-4.3.32
      • com.herodevs.nes.springframework:spring-webmvc:4.3.30-spring-framework-4.3.32
    • Spring Expression DoS Vulnerability (CVE-2024-38808).
      • com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
    • Spring Framework DoS via conditional HTTP request (CVE-2024-38809).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Spring Framework DataBinder Case Sensitive Match Exception (CVE-2024-38820).
      • com.herodevs.nes.springframework:spring-context:4.3.30-spring-framework-4.3.32
    • DoS via Spring MVC controller method with byte parameter (CVE-2024-38828).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Pivotal Spring Framework contains unsafe Java deserialization methods (CVE-2016-1000027).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32

November 2024

4.3.31

Released on Nov 18, 2024
Full Version: 
4.3.30-spring-framework-4.3.31

Notes

5.3.44

Released on Nov 15, 2024
CVE-2024-38828
Full Version: 
5.3.39-spring-framework-5.3.44

Bug Fixes

  • Fixes to core and web packages to address DoS issue.
    • This patches DoS via Spring MVC controller method with byte parameter (CVE-2024-38828).
    • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.44 in the following artifacts:
      • com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.44
      • com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.44

October 2024

5.3.43

Released on Oct 30, 2024
CVE-2024-38819
Full Version: 
5.3.39-spring-framework-5.3.43

Bug Fixes

  • Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
    • This patches a variation of the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38819).
    • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.43 in the following artifacts:
      • com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.43
      • com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.43

5.3.42

Released on Oct 24, 2024
CVE-2024-38820
Full Version: 
5.3.39-spring-framework-5.3.42

Bug Fixes

  • Fixed an issue with DataBinder's disallowedFields related to case insensitivity.
    • This update addresses the Spring Framework DataBinder Case Sensitive Match Exception (CVE-2024-38820).
    • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.42 in the following artifacts:
      • com.herodevs.nes.springframework:spring-context:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-websocket:5.3.39-spring-framework-5.3.42

September 2024

5.3.41

Released on Sep 19, 2024
CVE-2024-38816
Full Version: 
5.3.39-spring-framework-5.3.41

Bug Fixes

  • Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
    • This patches the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38816).
    • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.41 in the following artifacts:
      • com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.41
      • com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.41

August 2024

5.3.40

Released on Aug 26, 2024
Full Version: 
5.3.39-spring-framework-5.3.40

Notes

  • This release originates from the open‑source Spring Framework repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Framework 5.3.39.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.