HeroDevs
Visit NES for Spring Home Page

Spring Security Release Notes

51 versions

Comprehensive release notes and changelog for Spring Security, detailing HeroDevs-provided security patches across all supported versions.

Apr 23, 2026
Latest: 4.2.30
44 Patched Vulnerabilities
VEX Statements

April 2026

6.4.16

Released Apr 23, 2026
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
Full Version: 
6.4.13-spring-security-6.4.16

Bug Fixes

  • Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).
  • Patched the weak authentication issue in NimbusJwtDecoder and NimbusReactiveJwtDecoder where JWT token validation is not enforced unless an OAuth2TokenValidator<Jwt> is explicitly configured via setJwtValidator() (CVE-2026-22748).
  • Patched the authorization bypass in JdbcOneTimeTokenService where a time-of-check time-of-use race condition allowed concurrent one-time token login requests to bypass the single-use constraint (CVE-2026-22751).

Dependency Upgrades

  • Spring Data BOM (NES) 2024.1.13-spring-data-bom-2024.1.16
  • Spring LDAP (NES) 3.2.16-spring-ldap-3.2.20

6.3.13

Released Apr 23, 2026
CVE-2026-22746
CVE-2026-22748
Full Version: 
6.3.10-spring-security-6.3.13

Bug Fixes

  • Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).
  • Patched the weak authentication issue in NimbusJwtDecoder and NimbusReactiveJwtDecoder where JWT token validation is not enforced unless an OAuth2TokenValidator<Jwt> is explicitly configured via setJwtValidator() (CVE-2026-22748).

Dependency Upgrades

  • Spring Data BOM (NES) 2024.0.13-spring-data-bom-2024.0.16
  • Spring Framework (NES) 6.1.21-spring-framework-6.1.27
  • Spring LDAP (NES) 3.2.16-spring-ldap-3.2.20

6.2.15

Released Apr 23, 2026
CVE-2026-22746
CVE-2026-22748
Full Version: 
6.2.8-spring-security-6.2.15

Bug Fixes

  • Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).
  • Patched the weak authentication issue in NimbusJwtDecoder and NimbusReactiveJwtDecoder where JWT token validation is not enforced unless an OAuth2TokenValidator<Jwt> is explicitly configured via setJwtValidator() (CVE-2026-22748).

Dependency Upgrades

  • Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.18
  • Spring Framework (NES) 6.1.21-spring-framework-6.1.27
  • Spring LDAP (NES) 3.2.16-spring-ldap-3.2.20

5.8.27

Released Apr 23, 2026
CVE-2026-22746
Full Version: 
5.8.16-spring-security-5.8.27

Bug Fixes

  • Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).

Dependency Upgrades

  • Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.26
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.51
  • Spring LDAP (NES) 2.4.4-spring-ldap-2.4.12

5.7.24

Released Apr 23, 2026
CVE-2026-22746
Full Version: 
5.7.14-spring-security-5.7.24

Bug Fixes

  • Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).

Dependency Upgrades

  • Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.21
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.51
  • Spring LDAP (NES) 2.4.4-spring-ldap-2.4.12

5.5.11

Released Apr 23, 2026
CVE-2026-22746
Full Version: 
5.5.8-spring-security-5.5.11

Bug Fixes

  • Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).

Dependency Upgrades

  • Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.15
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.51
  • Spring LDAP (NES) 2.3.8-spring-ldap-2.3.11

4.2.30

Released Apr 23, 2026
CVE-2026-22746
Full Version: 
4.2.20-spring-security-4.2.30

Bug Fixes

  • Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).

Dependency Upgrades

  • Spring Framework (NES) 4.3.30-spring-framework-4.3.38

March 2026

6.4.15

Released Mar 23, 2026
CVE-2026-22732
Full Version: 
6.4.13-spring-security-6.4.15

Bug Fixes

  • Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

  • Spring Framework 6.2.17
  • Spring Data BOM (NES) 2024.1.13-spring-data-bom-2024.1.14
  • Spring LDAP (NES) 3.2.16-spring-ldap-3.2.18

6.3.12

Released Mar 23, 2026
CVE-2026-22732
Full Version: 
6.3.10-spring-security-6.3.12

Bug Fixes

  • Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

  • Spring Framework (NES) 6.1.21-spring-framework-6.1.26

6.2.14

Released Mar 23, 2026
CVE-2026-22732
Full Version: 
6.2.8-spring-security-6.2.14

Bug Fixes

  • Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

  • Spring Framework (NES) 6.1.21-spring-framework-6.1.26

5.8.26

Released Mar 23, 2026
CVE-2026-22732
Full Version: 
5.8.16-spring-security-5.8.26

Bug Fixes

  • Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

  • Spring Framework (NES) 5.3.39-spring-framework-5.3.50

5.7.23

Released Mar 23, 2026
CVE-2026-22732
Full Version: 
5.7.14-spring-security-5.7.23

Bug Fixes

  • Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

  • Spring Framework (NES) 5.3.39-spring-framework-5.3.50

5.5.10

Released Mar 23, 2026
CVE-2026-22732
Full Version: 
5.5.8-spring-security-5.5.10

Bug Fixes

  • Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

  • Spring Framework (NES) 5.3.39-spring-framework-5.3.50

4.2.29

Released Mar 23, 2026
CVE-2026-22732
Full Version: 
4.2.20-spring-security-4.2.29

Bug Fixes

  • Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

  • Spring Framework (NES) 4.3.30-spring-framework-4.3.37

5.5.9

Released Mar 11, 2026
CVE-2025-22228
CVE-2025-22234
CVE-2025-22228
CVE-2024-38827
CVE-2024-38821
2 More
Full Version: 
5.5.8-spring-security-5.5.9

Bug Fixes

  • This release patches the following:
    • Maximum password length enforced in BCryptPasswordEncoder (patch for CVE-2025-22228) breaks timing attack mitigation in DaoAuthenticationProvider (CVE-2025-22234).
    • BCryptPasswordEncoder maximum password length is not enforced (CVE-2025-22228).
    • Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
    • Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
    • Possible Broken Access Control With Direct Use of AuthenticatedVoter (CVE-2024-22257).
    • Privilege Escalation in OAuth2 Client (CVE-2022-31690).

Notes

  • This release originates from the open‑source Spring Security repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Security 5.5.8.

Dependency Upgrades

  • Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.13
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.49
  • Spring LDAP (NES) 2.3.8-spring-ldap-2.3.9

January 2026

6.4.14

Released Jan 28, 2026
Full Version: 
6.4.13-spring-security-6.4.14

Notes

  • This release originates from the open‑source Spring Security repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Security 6.4.13.

December 2025

6.3.11

Released Dec 10, 2025
Full Version: 
6.3.10-spring-security-6.3.11

Notes

  • This release originates from the open‑source Spring Security repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Security 6.3.10.

Dependency Upgrades

  • Spring Data BOM (NES) 2024.0.13-spring-data-bom-2024.0.14
  • Spring Framework (NES) 6.1.21-spring-framework-6.1.25Full Version: 6.3.10-spring-security-6.3.11

October 2025

6.2.13

Released Oct 24, 2025
Full Version: 
6.2.8-spring-security-6.2.13

Dependency Upgrades

  • Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.16
  • Spring Framework (NES) 6.1.21-spring-framework-6.1.25
  • Spring LDAP (NES) 3.2.13-spring-ldap-3.2.17

5.8.25

Released Oct 23, 2025
Full Version: 
5.8.16-spring-security-5.8.25

Dependency Upgrades

  • Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.24
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.49
  • Spring LDAP (NES) 2.4.4-spring-ldap-2.4.10

5.7.22

Released Oct 23, 2025
Full Version: 
5.7.14-spring-security-5.7.22

Dependency Upgrades

  • Spring Framework (NES) 5.3.39-spring-framework-5.3.49

4.2.28

Released Oct 23, 2025
Full Version: 
4.2.20-spring-security-4.2.28

Dependency Upgrades

  • Spring Framework (NES) 4.3.30-spring-framework-4.3.36

September 2025

6.2.12

Released Sep 23, 2025
Full Version: 
6.2.8-spring-security-6.2.12

Dependency Upgrades

  • Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.15
  • Spring Framework (NES) 6.1.21-spring-framework-6.1.24
  • Spring LDAP (NES) 3.2.13-spring-ldap-3.2.16

5.8.24

Released Sep 23, 2025
Full Version: 
5.8.16-spring-security-5.8.24

Dependency Upgrades

  • Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.23
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.48
  • Spring LDAP (NES) 2.4.4-spring-ldap-2.4.9

5.7.21

Released Sep 23, 2025
Full Version: 
5.7.14-spring-security-5.7.21

Dependency Upgrades

  • Spring Framework (NES) 5.3.39-spring-framework-5.3.48

August 2025

5.8.23

Released Aug 25, 2025
Full Version: 
5.8.16-spring-security-5.8.23

Dependency Upgrades

  • Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.22
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.47
  • Spring LDAP (NES) 2.4.4-spring-ldap-2.4.8

5.7.20

Released Aug 25, 2025
Full Version: 
5.7.14-spring-security-5.7.20

Dependency Upgrades

  • Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.22
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.47
  • Spring LDAP (NES) 2.4.4-spring-ldap-2.4.8

6.2.11

Released Aug 22, 2025
Full Version: 
6.2.8-spring-security-6.2.11

Dependency Upgrades

  • Spring Framework (NES) 6.1.21-spring-framework-6.1.23

4.2.27

Released Aug 22, 2025
Full Version: 
4.2.20-spring-security-4.2.27

Dependency Upgrades

  • Spring Framework (NES) 4.3.30-spring-framework-4.3.35

July 2025

6.2.10

Released Jul 15, 2025
Full Version: 
6.2.8-spring-security-6.2.10

Dependency Upgrades

  • Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.13
  • Spring Framework (NES) 6.1.21-spring-framework-6.1.22
  • Spring LDAP (NES) 3.2.13-spring-ldap-3.2.14

May 2025

6.2.9

Released May 27, 2025
CVE-2025-22234
CVE-2025-22228
CVE-2025-22228
Full Version: 
6.2.8-spring-security-6.2.9

Bug Fixes

  • This release patches the following:
    • CVE-2025-22234: Maximum password length enforced in the BCryptPasswordEncoder (patch for CVE-2025-22228) breaks timing attack mitigation in the DaoAuthenticationProvider.
      • org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9
    • CVE-2025-22228: Maximum password length is not enforced in BCryptPasswordEncoder
      • org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9

Notes

  • This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version 6.2.8.
  • Includes other modifications implemented by HeroDevs to ensure successful library builds. Full Version: 6.2.8-spring-security-6.2.9

5.8.22

Released May 20, 2025
Full Version: 
5.8.16-spring-security-5.8.22

Dependency Upgrades

  • Spring Framework (NES): 5.3.39-spring-framework-5.3.46
  • Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.21
  • Spring LDAP (NES): 2.4.4-spring-ldap-2.4.7

5.7.19

Released May 20, 2025
Full Version: 
5.7.14-spring-security-5.7.19

Dependency Upgrades

  • Spring Framework (NES): 5.3.39-spring-framework-5.3.46
  • Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.21

4.2.26

Released May 20, 2025
Full Version: 
4.2.20-spring-security-4.2.26

Dependency Upgrades

  • Spring Framework (NES): 4.3.30-spring-framework-4.3.34

April 2025

4.2.25

Released Apr 30, 2025
CVE-2025-22228
CVE-2025-22234
Full Version: 
4.2.20-spring-security-4.2.25

Bug Fixes

  • This patches the bug in Spring Security where the maximum password length enforced in the BCryptPasswordEncoder (patch for CVE-2025-22228) breaks timing attack mitigation in the DaoAuthenticationProvider (CVE-2025-22234).
    • org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.25

5.8.21

Released Apr 23, 2025
CVE-2025-22228
CVE-2025-22234
Full Version: 
5.8.16-spring-security-5.8.21

Bug Fixes

  • This patches the bug in Spring Security where the maximum password length enforced in the BCryptPasswordEncoder (patch for CVE-2025-22228) breaks timing attack mitigation in the DaoAuthenticationProvider (CVE-2025-22234).
    • org.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.21

5.7.18

Released Apr 23, 2025
CVE-2025-22234
Full Version: 
5.7.14-spring-security-5.7.18

Bug Fixes

  • This patches the bug in Spring Security where the maximum password length enforced in the BCryptPasswordEncoder breaks timing attack mitigation in the DaoAuthenticationProvider (CVE-2025-22234).
    • org.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.18

March 2025

5.8.20

Released Mar 20, 2025
CVE-2025-22228
Full Version: 
5.8.16-spring-security-5.8.20

Bug Fixes

  • This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
    • org.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.20

5.7.17

Released Mar 20, 2025
CVE-2025-22228
Full Version: 
5.7.14-spring-security-5.7.17

Bug Fixes

  • This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
    • org.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.17

4.2.24

Released Mar 20, 2025
CVE-2025-22228
Full Version: 
4.2.20-spring-security-4.2.24

Bug Fixes

  • This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
    • org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.24

5.8.19

Released Mar 6, 2025
Full Version: 
5.8.16-spring-security-5.8.19

Notes

  • Spring Security's artifacts include LICENSE and NOTICE files in the META-INF directory.

February 2025

5.8.18

Released Feb 24, 2025
Full Version: 
5.8.16-spring-security-5.8.18

Notes

  • Publish Spring Security under the org.springframework.security group ID instead of com.herodevs.nes.springframework.security

Dependency Upgrades

  • Spring Framework (NES): 5.3.39-spring-framework-5.3.45
  • Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.20
  • Spring LDAP (NES): 2.4.4-spring-ldap-2.4.6

5.7.16

Released Feb 24, 2025
Full Version: 
5.7.14-spring-security-5.7.16

Notes

  • Publish Spring Security under the org.springframework.security group ID instead of com.herodevs.nes.springframework.security

Dependency Upgrades

  • Spring Framework (NES): 5.3.39-spring-framework-5.3.45
  • Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.20
  • Spring LDAP (NES): 2.4.4-spring-ldap-2.4.6

4.2.23

Released Feb 24, 2025
Full Version: 
4.2.20-spring-security-4.2.23

Notes

  • Publish Spring Security under the org.springframework.security group ID instead of com.herodevs.nes.springframework.security

Dependency Upgrades

  • Spring Framework (NES): 4.3.30-spring-framework-4.3.33

December 2024

4.2.22

Released Dec 18, 2024
CVE-2021-22112
CVE-2022-22978
CVE-2024-22257
CVE-2024-38827
Full Version: 
4.2.20-spring-security-4.2.22

Bug Fixes

  • This release patches the following:
    • Changing SecurityContext More Than Once in Single Request Can Fail to Save (CVE-2021-22112).
      • com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
    • Authorization Bypass in RegexRequestMatcher (CVE-2022-22978).
      • com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
      • com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
    • Possible Broken Access Control in Spring Security With Direct Use of AuthenticatedVoter (CVE-2024-22257).
      • com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
    • Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
      • com.herodevs.nes.springframework.security:spring-security-cas:4.2.20-spring-security-4.2.22
      • com.herodevs.nes.springframework.security:spring-security-config:4.2.20-spring-security-4.2.22
      • com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
      • com.herodevs.nes.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.22
      • com.herodevs.nes.springframework.security:spring-security-ldap:4.2.20-spring-security-4.2.22
      • com.herodevs.nes.springframework.security:spring-security-taglibs:4.2.20-spring-security-4.2.22
      • com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22

Notes

  • Spring Security 4.2.22 NES release updates Spring Framework to NES version 4.3.32.

November 2024

5.8.17

Released Nov 19, 2024
CVE-2024-38827
Full Version: 
5.8.16-spring-security-5.8.17

Bug Fixes

  • This patches the Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
    • com.herodevs.nes.springframework.security:spring-security-cas:5.8.16-spring-security-5.8.17
    • com.herodevs.nes.springframework.security:spring-security-config:5.8.16-spring-security-5.8.17
    • com.herodevs.nes.springframework.security:spring-security-core:5.8.16-spring-security-5.8.17
    • com.herodevs.nes.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.17
    • com.herodevs.nes.springframework.security:spring-security-data:5.8.16-spring-security-5.8.17
    • com.herodevs.nes.springframework.security:spring-security-ldap:5.8.16-spring-security-5.8.17
    • com.herodevs.nes.springframework.security:spring-security-oauth2-client:5.8.16-spring-security-5.8.17
    • com.herodevs.nes.springframework.security:spring-security-taglibs:5.8.16-spring-security-5.8.17
    • com.herodevs.nes.springframework.security:spring-security-web:5.8.16-spring-security-5.8.17

5.7.15

Released Nov 19, 2024
CVE-2024-38827
Full Version: 
5.7.14-spring-security-5.7.15

Bug Fixes

  • This patches the Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
    • com.herodevs.nes.springframework.security:spring-security-cas:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-config:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-core:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-data:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-ldap:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-oauth2-client:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-taglibs:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-web:5.7.14-spring-security-5.7.15

4.2.21

Released Nov 7, 2024
Full Version: 
4.2.20-spring-security-4.2.21

Notes

  • This is the initial release of Spring Security 4.2.20 from the open‑source Spring Security repository forked by HeroDevs.
  • This release contains no functional changes from Spring Security 4.2.20. Full Version: 4.2.20-spring-security-4.2.21

October 2024

5.8.16

Released Oct 29, 2024
CVE-2024-38821
Full Version: 
5.8.15-spring-security-5.8.16

Bug Fixes

  • This patches the Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
    • com.herodevs.nes.springframework.security:spring-security-web:5.8.15-spring-security-5.8.16

5.7.14

Released Oct 29, 2024
CVE-2024-38821
Full Version: 
5.7.13-spring-security-5.7.14

Bug Fixes

  • This patches the Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
    • com.herodevs.nes.springframework.security:spring-security-web:5.7.13-spring-security-5.7.14

September 2024

5.8.15

Released Sep 20, 2024
Full Version: 
5.8.14-spring-security-5.8.15

Notes

  • This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version 5.8.14.
  • Includes other modifications implemented by HeroDevs to ensure successful library builds. Full Version: 5.8.14-spring-security-5.8.15

August 2024

5.7.13

Released Aug 26, 2024
Full Version: 
5.7.12-spring-security-5.7.13

Notes

  • This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version 5.7.12.
  • Includes other modifications implemented by HeroDevs to ensure successful library builds.
  • Spring Security 5.7.12 includes Spring Framework 5.3.29. This release updates Spring Framework to NES version 5.3.40 which is equivalent to the original Spring Framework 5.3.39. For reference, here is a list of all included updates from Spring Framework included here:
    • v5.3.30
    • v5.3.31
    • v5.3.32
    • v5.3.33
    • v5.3.34
    • v5.3.35
    • v5.3.36
    • v5.3.37
    • v5.3.38
    • v5.3.39Full Version: 5.7.12-spring-security-5.7.13

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.