Visit NES for Spring Home Page

Spring Framework 5.3.x Release Notes

14 versions

Comprehensive release notes and changelog for Spring Framework 5.3.x, including security patches, bug fixes, and feature updates across all supported versions.

Jun 10, 2026
Latest: 5.3.52
89 Patched Vulnerabilities
VEX Statements

June 2026

Full Version:
5.3.39-spring-framework-5.3.52

Bug Fixes

  • Predictable WebSocket session ID generation in spring-websocket (CVE-2026-41838).
  • Session fixation race in WebFlux InMemoryWebSession (CVE-2026-41839).
  • Memory leak in WebFlux multipart PartGenerator enabling denial of service (CVE-2026-41840).
  • Cache collisions in CachingResourceResolver could expose protected static resources (CVE-2026-41841).
  • Denial of service via slow versioned static resource resolution (CVE-2026-41842).
  • Path traversal in versioned static resource resolution (CVE-2026-41843).
  • Open redirect via redirect: and forward: prefixes in default view name translation (CVE-2026-41844).
  • Incorrect escaping in JavaScriptUtils#javaScriptEscape enabling cross-site scripting (CVE-2026-41845).
  • Cross-site scripting via unescaped cssClass, cssErrorClass, and cssStyle attributes in JSP form tags (CVE-2026-41846).
  • WebFlux Kotlin Router DSL discarded filter modifications to ServerRequest, bypassing security filters (CVE-2026-41847).
  • Regular expression denial of service (ReDoS) in AntPathMatcher (CVE-2026-41848).
  • Integer overflow in Spring Expression Language (SpEL) evaluation enabling denial of service (CVE-2026-41849).
  • Algorithmic denial of service in SpEL; adds a configurable maximum-operations limit (CVE-2026-41850).
  • Unbounded SpEL pattern cache growth leading to memory exhaustion (CVE-2026-41851).
  • SpEL permitted zero-argument method invocation in restricted evaluation contexts (CVE-2026-41852).
  • Multipart request smuggling in Spring MVC and WebFlux (CVE-2026-41853).
  • Arbitrary class instantiation in the JMS MappingJackson2MessageConverter; adds a trusted-packages API to restrict deserialization (CVE-2026-41855).

April 2026

Full Version:
5.3.39-spring-framework-5.3.51

Bug Fixes

  • DoS with Multipart Temp Files in WebFlux (CVE-2026-22740)
  • Static resource cache poisoning in Spring MVC and WebFlux (CVE-2026-22741)
  • Denial of service in static resource handling on Windows platforms (CVE-2026-22745)

March 2026

Full Version:
5.3.39-spring-framework-5.3.50

Bug Fixes

  • SSE content spoofing via unvalidated id and event field values in SseEmitter and ServerSentEvent (CVE-2026-22735).
  • Path traversal via unvalidated template location in ScriptTemplateView (CVE-2026-22737).

October 2025

5.3.49

Released Oct 17, 2025
Full Version:
5.3.39-spring-framework-5.3.49

Bug Fixes

  • This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).

September 2025

5.3.48

Released Sep 16, 2025
Full Version:
5.3.39-spring-framework-5.3.48

Bug Fixes

  • This patches the Spring Framework annotation detection vulnerability (CVE-2025-41249).

August 2025

5.3.42-trial

Released Aug 26, 2025
Full Version:
5.3.39-spring-framework-5.3.42-trial

Notes

  • Add org.springframework:spring-web:jar:no-remoting:5.3.39-spring-framework-5.3.42-trial for demonstration purposes only.
Full Version:
5.3.39-spring-framework-5.3.47

Bug Fixes

  • Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.
  • Added a no-remoting variant of the spring-web artifact to remove HTTP Invoker remoting support.

May 2025

5.3.46

Released May 15, 2025
Full Version:
5.3.39-spring-framework-5.3.46

Bug Fixes

  • Fixed an additional vulnerability with DataBinder's disallowedFields related to case insensitivity.

February 2025

5.3.45

Released Feb 24, 2025
Full Version:
5.3.39-spring-framework-5.3.45

Notes

  • Publish Spring Framework under the org.springframework group ID instead of com.herodevs.nes.springframework

November 2024

5.3.44

Released Nov 15, 2024
Full Version:
5.3.39-spring-framework-5.3.44

Bug Fixes

  • Fixes to core and web packages to address DoS issue.
    • This patches DoS via Spring MVC controller method with byte parameter (CVE-2024-38828).
    • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.44 in the following artifacts:
      • com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.44
      • com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.44

October 2024

5.3.43

Released Oct 30, 2024
Full Version:
5.3.39-spring-framework-5.3.43

Bug Fixes

  • Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
    • This patches a variation of the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38819).
    • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.43 in the following artifacts:
      • com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.43
      • com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.43

5.3.42

Released Oct 24, 2024
Full Version:
5.3.39-spring-framework-5.3.42

Bug Fixes

  • Fixed an issue with DataBinder's disallowedFields related to case insensitivity.
    • This update addresses the Spring Framework DataBinder Case Sensitive Match Exception (CVE-2024-38820).
    • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.42 in the following artifacts:
      • com.herodevs.nes.springframework:spring-context:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-core:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-web:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.42
      • com.herodevs.nes.springframework:spring-websocket:5.3.39-spring-framework-5.3.42

September 2024

5.3.41

Released Sep 19, 2024
Full Version:
5.3.39-spring-framework-5.3.41

Bug Fixes

  • Fixes to resource handling for Spring's WebMVC.fn and WebFlux.fn (functional) endpoints.
    • This patches the path traversal vulnerability in Spring's functional web frameworks (CVE-2024-38816).
    • This fix is included in NES for Spring Framework version 5.3.39-spring-framework-5.3.41 in the following artifacts:
      • com.herodevs.nes.springframework:spring-webmvc:5.3.39-spring-framework-5.3.41
      • com.herodevs.nes.springframework:spring-webflux:5.3.39-spring-framework-5.3.41

August 2024

5.3.40

Released Aug 26, 2024
Full Version:
5.3.39-spring-framework-5.3.40

Notes

  • This release originates from the open‑source Spring Framework repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Framework 5.3.39. Full Version: 5.3.39-spring-framework-5.3.40

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.