Visit NES for Spring Home Page
Spring Framework 6.1.x Release Notes
7 versions
Comprehensive release notes and changelog for Spring Framework 6.1.x, including security patches, bug fixes, and feature updates across all supported versions.
June 2026
6.1.28
Released Jun 10, 2026 Full Version:
6.1.21-spring-framework-6.1.28
Bug Fixes
- Predictable WebSocket session ID generation in
spring-websocket(CVE-2026-41838). - Session fixation race in WebFlux
InMemoryWebSession(CVE-2026-41839). - Memory leak in WebFlux multipart
PartGeneratorenabling denial of service (CVE-2026-41840). - Cache collisions in
CachingResourceResolvercould expose protected static resources (CVE-2026-41841). - Denial of service via slow versioned static resource resolution (CVE-2026-41842).
- Path traversal in versioned static resource resolution (CVE-2026-41843).
- Open redirect via
redirect:andforward:prefixes in default view name translation (CVE-2026-41844). - Incorrect escaping in
JavaScriptUtils#javaScriptEscapeenabling cross-site scripting (CVE-2026-41845). - Cross-site scripting via unescaped
cssClass,cssErrorClass, andcssStyleattributes in JSP form tags (CVE-2026-41846). - Regular expression denial of service (ReDoS) in
AntPathMatcher(CVE-2026-41848). - Algorithmic denial of service in Spring Expression Language (SpEL); adds a configurable maximum-operations limit (CVE-2026-41850).
- Unbounded SpEL pattern cache growth leading to memory exhaustion (CVE-2026-41851).
- SpEL permitted zero-argument method invocation in restricted evaluation contexts (CVE-2026-41852).
- Multipart request smuggling in Spring MVC and WebFlux (CVE-2026-41853).
- Arbitrary class instantiation in the JMS
MappingJackson2MessageConverter; adds a trusted-packages API to restrict deserialization (CVE-2026-41855).
April 2026
6.1.27
Released Apr 17, 2026 Full Version:
6.1.21-spring-framework-6.1.27
Bug Fixes
- DoS with Multipart Temp Files in WebFlux (CVE-2026-22740)
- Static resource cache poisoning in Spring MVC and WebFlux (CVE-2026-22741)
- Denial of service in static resource handling on Windows platforms (CVE-2026-22745)
March 2026
6.1.26
Released Mar 23, 2026 Full Version:
6.1.21-spring-framework-6.1.26
Bug Fixes
- SSE content spoofing via unvalidated
idandeventfield values inSseEmitterandServerSentEvent(CVE-2026-22735). - Path traversal via unvalidated template location in
ScriptTemplateView(CVE-2026-22737).
October 2025
6.1.25
Released Oct 17, 2025 Full Version:
6.1.21-spring-framework-6.1.25
Bug Fixes
- This patches the Spring Framework STOMP over websocket CSRF vulnerability (CVE-2025-41254).
September 2025
6.1.24
Released Sep 16, 2025 Full Version:
6.1.21-spring-framework-6.1.24
Bug Fixes
- This patches the Spring Framework annotation detection vulnerability (CVE-2025-41249).
August 2025
6.1.23
Released Aug 15, 2025 Full Version:
6.1.21-spring-framework-6.1.23
Bug Fixes
- Fixed a "Path Traversal Vulnerability" occurring in Spring web MVC applications deployed to a Servlet container that is not secured.
- This addresses CVE-2025-41242.
Dependency Upgrades
- Aspectj
1.9.24 - AssertJ
3.27.4
July 2025
6.1.22
Released Jul 11, 2025 Full Version:
6.1.21-spring-framework-6.1.22
Notes
- This release originates from the open‑source Spring Framework repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Framework
6.1.21. Full Version:6.1.21-spring-framework-6.1.22
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh