Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.
- This addresses CVE-2025-41242.

May 2025

4.3.34

Released on May 15, 2025

CVE-2025-22233

Full Version:

4.3.30-spring-framework-4.3.34

Bug Fixes

Fixed an additional vulnerability with DataBinder's disallowedFields related to case insensitivity.
- This addresses CVE-2025-22233.

February 2025

4.3.33

Released on Feb 24, 2025

Full Version:

4.3.30-spring-framework-4.3.33

Notes

Publish Spring Framework under the org.springframework group ID instead of com.herodevs.nes.springframework

December 2024

4.3.32

Released on Dec 18, 2024

10 More

Full Version:

4.3.30-spring-framework-4.3.32

Bug Fixes

This release patches the following:
- Spring Expression DoS Vulnerability (CVE-2022-22950).
  - com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
- Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965).
  - com.herodevs.nes.springframework:spring-beans:4.3.30-spring-framework-4.3.32
  - com.herodevs.nes.springframework:spring-webmvc:4.3.30-spring-framework-4.3.32
- Spring Framework DoS via Data Binding to MultipartFile or Servlet Part (CVE-2022-22970).
  - com.herodevs.nes.springframework:spring-beans:4.3.30-spring-framework-4.3.32
- Spring Framework DoS with STOMP over WebSocket (CVE-2022-22971).
  - com.herodevs.nes.springframework:spring-messaging:4.3.30-spring-framework-4.3.32
- Spring Expression DoS Vulnerability (CVE-2023-20861).
  - com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
- Spring Expression DoS Vulnerability (CVE-2023-20863).
  - com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
- Spring Framework URL Parsing with Host Validation (CVE-2024-22243).
  - com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Spring Framework URL Parsing with Host Validation (CVE-2024-22259).
  - com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Spring Framework URL Parsing with Host Validation (CVE-2024-22262).
  - com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Improper handling of case sensitivity (CVE-2022-22968).
  - com.herodevs.nes.springframework:spring-context:4.3.30-spring-framework-4.3.32
  - com.herodevs.nes.springframework:spring-webmvc:4.3.30-spring-framework-4.3.32
- Spring Expression DoS Vulnerability (CVE-2024-38808).
  - com.herodevs.nes.springframework:spring-expression:4.3.30-spring-framework-4.3.32
- Spring Framework DoS via conditional HTTP request (CVE-2024-38809).
  - com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Spring Framework DataBinder Case Sensitive Match Exception (CVE-2024-38820).
  - com.herodevs.nes.springframework:spring-context:4.3.30-spring-framework-4.3.32
- DoS via Spring MVC controller method with byte parameter (CVE-2024-38828).
  - com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32
- Pivotal Spring Framework contains unsafe Java deserialization methods (CVE-2016-1000027).
  - com.herodevs.nes.springframework:spring-web:4.3.30-spring-framework-4.3.32

November 2024

4.3.31

Released on Nov 18, 2024

Full Version:

4.3.30-spring-framework-4.3.31

Notes

This is the initial release of Spring Framework 4.3.30 from the open‑source Spring Framework repository forked by HeroDevs.
This release contains no functional changes from Spring Framework 4.3.30.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team