Spring Framework 5.3.x Release Notes

12 versions

Comprehensive release notes and changelog for Spring Framework 5.3.x, including security patches, bug fixes, and feature updates across all supported versions.

Mar 23, 2026

Latest: 5.3.50

37 Patched Vulnerabilities

VEX Statements

March 2026

5.3.50

Released Mar 23, 2026

CVE-2026-22735

CVE-2026-22737

Full Version:

5.3.39-spring-framework-5.3.50

Bug Fixes

SSE content spoofing via unvalidated id and event field values in SseEmitter and ServerSentEvent (CVE-2026-22735).
Path traversal via unvalidated template location in ScriptTemplateView (CVE-2026-22737).

October 2025

5.3.49

Released Oct 17, 2025

CVE-2025-41254

Full Version:

5.3.39-spring-framework-5.3.49

Bug Fixes

This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).

September 2025

5.3.48

Released Sep 16, 2025

CVE-2025-41249

Full Version:

5.3.39-spring-framework-5.3.48

Bug Fixes

This patches the Spring Framework annotation detection vulnerability (CVE-2025-41249).

August 2025

5.3.42-trial

Released Aug 26, 2025

Full Version:

5.3.39-spring-framework-5.3.42-trial

Notes

Add org.springframework:spring-web:jar:no-remoting:5.3.39-spring-framework-5.3.42-trial for demonstration purposes only.

5.3.47

Released Aug 15, 2025

CVE-2025-41242

CVE-2016-1000027

documentation

Full Version:

5.3.39-spring-framework-5.3.47

Bug Fixes

Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.
- This addresses CVE-2025-41242.
Added a no-remoting variant of the spring-web artifact to remove HTTP Invoker remoting support.
- This addresses CVE-2016-1000027.
- See the documentation for more information on using the no-remoting variant.

May 2025

5.3.46

Released May 15, 2025

CVE-2025-22233

Full Version:

5.3.39-spring-framework-5.3.46

Bug Fixes

Fixed an additional vulnerability with DataBinder's disallowedFields related to case insensitivity.
- This addresses CVE-2025-22233.

February 2025

5.3.45

Released Feb 24, 2025

Full Version:

5.3.39-spring-framework-5.3.45

Notes

Publish Spring Framework under the org.springframework group ID instead of com.herodevs.nes.springframework

November 2024

5.3.44

Released Nov 15, 2024

CVE-2024-38828

Full Version:

5.3.39-spring-framework-5.3.44

Bug Fixes

Fixes to core and web packages to address DoS issue.
- This patches DoS via Spring MVC controller method with byte parameter (CVE-2024-38828).
- This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.44 in the following artifacts:
  - com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.44
  - com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.44

October 2024

5.3.43

Released Oct 30, 2024

CVE-2024-38819

Full Version:

5.3.39-spring-framework-5.3.43

Bug Fixes

Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
- This patches a variation of the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38819).
- This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.43 in the following artifacts:
  - com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.43
  - com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.43

5.3.42

Released Oct 24, 2024

CVE-2024-38820

Full Version:

5.3.39-spring-framework-5.3.42

Bug Fixes

Fixed an issue with DataBinder's disallowedFields related to case insensitivity.
- This update addresses the Spring Framework DataBinder Case Sensitive Match Exception (CVE-2024-38820).
- This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.42 in the following artifacts:
  - com.herodevs.nes.springframework:spring-context:5.3.39-spring-framework-5.3.42
  - com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.42
  - com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.42
  - com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.42
  - com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.42
  - com.herodevs.nes.springframework:spring-websocket:5.3.39-spring-framework-5.3.42

September 2024

5.3.41

Released Sep 19, 2024

CVE-2024-38816

Full Version:

5.3.39-spring-framework-5.3.41

Bug Fixes

Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
- This patches the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38816).
- This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.41 in the following artifacts:
  - com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.41
  - com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.41

August 2024

5.3.40

Released Aug 26, 2024

Full Version:

5.3.39-spring-framework-5.3.40

Notes

This release originates from the open‑source Spring Framework repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Framework 5.3.39. Full Version: 5.3.39-spring-framework-5.3.40

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team