HeroDevs
Visit NES for Spring Home Page

Spring Framework 4.3.x Release Notes

7 versions

Comprehensive release notes and changelog for Spring Framework 4.3.x, including security patches, bug fixes, and feature updates across all supported versions.

Mar 23, 2026
Latest: 4.3.37
37 Patched Vulnerabilities
VEX Statements

March 2026

4.3.37

Released Mar 23, 2026
CVE-2026-22735
CVE-2026-22737
Full Version: 
4.3.30-spring-framework-4.3.37

Bug Fixes

  • SSE content spoofing via unvalidated id and event field values in SseEmitter (CVE-2026-22735).
  • Path traversal via unvalidated template location in ScriptTemplateView (CVE-2026-22737).

October 2025

4.3.36

Released Oct 21, 2025
CVE-2025-41254
Full Version: 
4.3.30-spring-framework-4.3.36

Bug Fixes

  • This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).

August 2025

4.3.35

Released Aug 15, 2025
CVE-2025-41242
Full Version: 
4.3.30-spring-framework-4.3.35

Bug Fixes

  • Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.

May 2025

4.3.34

Released May 15, 2025
CVE-2025-22233
Full Version: 
4.3.30-spring-framework-4.3.34

Bug Fixes

  • Fixed an additional vulnerability with DataBinder's disallowedFields related to case insensitivity.

February 2025

4.3.33

Released Feb 24, 2025
Full Version: 
4.3.30-spring-framework-4.3.33

Notes

  • Publish Spring Framework under the org.springframework group ID instead of com.herodevs.nes.springframework

December 2024

4.3.32

Released Dec 18, 2024
CVE-2022-22950
CVE-2022-22965
CVE-2022-22970
CVE-2022-22971
CVE-2023-20861
10 More
Full Version: 
4.3.30-spring-framework-4.3.32

Bug Fixes

  • This release patches the following:
    • Spring Expression DoS Vulnerability (CVE-2022-22950).
      • com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
    • Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965).
      • com.herodevs.nes.springframework:spring-beans:4.3.30-spring-framework-4.3.32
      • com.herodevs.nes.springframework:spring-webmvc:4.3.30-spring-framework-4.3.32
    • Spring Framework DoS via Data Binding to MultipartFile or Servlet Part (CVE-2022-22970).
      • com.herodevs.nes.springframework:spring-beans:4.3.30-spring-framework-4.3.32
    • Spring Framework DoS with STOMP over WebSocket (CVE-2022-22971).
      • com.herodevs.nes.springframework:spring-messaging:4.3.30-spring-framework-4.3.32
    • Spring Expression DoS Vulnerability (CVE-2023-20861).
      • com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
    • Spring Expression DoS Vulnerability (CVE-2023-20863).
      • com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
    • Spring Framework URL Parsing with Host Validation (CVE-2024-22243).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Spring Framework URL Parsing with Host Validation (CVE-2024-22259).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Spring Framework URL Parsing with Host Validation (CVE-2024-22262).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Improper handling of case sensitivity (CVE-2022-22968).
      • com.herodevs.nes.springframework:spring-context:4.3.30-spring-framework-4.3.32
      • com.herodevs.nes.springframework:spring-webmvc:4.3.30-spring-framework-4.3.32
    • Spring Expression DoS Vulnerability (CVE-2024-38808).
      • com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
    • Spring Framework DoS via conditional HTTP request (CVE-2024-38809).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Spring Framework DataBinder Case Sensitive Match Exception (CVE-2024-38820).
      • com.herodevs.nes.springframework:spring-context:4.3.30-spring-framework-4.3.32
    • DoS via Spring MVC controller method with byte parameter (CVE-2024-38828).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
    • Pivotal Spring Framework contains unsafe Java deserialization methods (CVE-2016-1000027).
      • com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32

November 2024

4.3.31

Released Nov 18, 2024
Full Version: 
4.3.30-spring-framework-4.3.31

Notes

  • This is the initial release of Spring Framework 4.3.30 from the open‑source Spring Framework repository forked by HeroDevs.
  • This release contains no functional changes from Spring Framework 4.3.30. Full Version: 4.3.30-spring-framework-4.3.31

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.