Spring Security Release Notes

36 versions

Comprehensive release notes and changelog for Spring Security, detailing HeroDevs-provided security patches across all supported versions.

Jan 28, 2026

Latest: 6.4.14

16 Patched Vulnerabilities

VEX Statements

January 2026

6.4.14

Released on Jan 28, 2026

Full Version:

6.4.13-spring-security-6.4.14

Notes

This release originates from the open‑source Spring Security repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Security 6.4.13.

December 2025

6.3.11

Released on Dec 10, 2025

Full Version:

6.3.10-spring-security-6.3.11

Notes

This release originates from the open‑source Spring Security repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Security 6.3.10.

Dependency Upgrades

Spring Data BOM (NES) 2024.0.13-spring-data-bom-2024.0.14
Spring Framework (NES) 6.1.21-spring-framework-6.1.25Full Version: 6.3.10-spring-security-6.3.11

October 2025

6.2.13

Released on Oct 24, 2025

Full Version:

6.2.8-spring-security-6.2.13

Dependency Upgrades

Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.16
Spring Framework (NES) 6.1.21-spring-framework-6.1.25
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.17

5.8.25

Released on Oct 23, 2025

Full Version:

5.8.16-spring-security-5.8.25

Dependency Upgrades

Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.24
Spring Framework (NES) 5.3.39-spring-framework-5.3.49
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.10

5.7.22

Released on Oct 23, 2025

Full Version:

5.7.14-spring-security-5.7.22

Dependency Upgrades

Spring Framework (NES) 5.3.39-spring-framework-5.3.49

4.2.28

Released on Oct 23, 2025

Full Version:

4.2.20-spring-security-4.2.28

Dependency Upgrades

Spring Framework (NES) 4.3.30-spring-framework-4.3.36

September 2025

6.2.12

Released on Sep 23, 2025

Full Version:

6.2.8-spring-security-6.2.12

Dependency Upgrades

Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.15
Spring Framework (NES) 6.1.21-spring-framework-6.1.24
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.16

5.8.24

Released on Sep 23, 2025

Full Version:

5.8.16-spring-security-5.8.24

Dependency Upgrades

Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.23
Spring Framework (NES) 5.3.39-spring-framework-5.3.48
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.9

5.7.21

Released on Sep 23, 2025

Full Version:

5.7.14-spring-security-5.7.21

Dependency Upgrades

Spring Framework (NES) 5.3.39-spring-framework-5.3.48

August 2025

5.8.23

Released on Aug 25, 2025

Full Version:

5.8.16-spring-security-5.8.23

Dependency Upgrades

Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.22
Spring Framework (NES) 5.3.39-spring-framework-5.3.47
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.8

5.7.20

Released on Aug 25, 2025

Full Version:

5.7.14-spring-security-5.7.20

Dependency Upgrades

Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.22
Spring Framework (NES) 5.3.39-spring-framework-5.3.47
Spring LDAP (NES) 2.4.4-spring-ldap-2.4.8

6.2.11

Released on Aug 22, 2025

Full Version:

6.2.8-spring-security-6.2.11

Dependency Upgrades

Spring Framework (NES) 6.1.21-spring-framework-6.1.23

4.2.27

Released on Aug 22, 2025

Full Version:

4.2.20-spring-security-4.2.27

Dependency Upgrades

Spring Framework (NES) 4.3.30-spring-framework-4.3.35

July 2025

6.2.10

Released on Jul 15, 2025

Full Version:

6.2.8-spring-security-6.2.10

Dependency Upgrades

Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.13
Spring Framework (NES) 6.1.21-spring-framework-6.1.22
Spring LDAP (NES) 3.2.13-spring-ldap-3.2.14

May 2025

6.2.9

Released on May 27, 2025

CVE-2025-22234

CVE-2025-22228

Full Version:

6.2.8-spring-security-6.2.9

Bug Fixes

This release patches the following:
- CVE-2025-22234: Maximum password length enforced in the BCryptPasswordEncoder (patch for CVE-20225-22228) breaks timing attack mitigation in the DaoAuthenticationProvider.
  - org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9
- CVE-2025-22228: Maximum password length is not enforced in BCryptPasswordEncoder
  - org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9

Notes

This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version 6.2.8.
Includes other modifications implemented by HeroDevs to ensure successful library builds. Full Version: 6.2.8-spring-security-6.2.9

5.8.22

Released on May 20, 2025

Full Version:

5.8.16-spring-security-5.8.22

Dependency Upgrades

Spring Framework (NES): 5.3.39-spring-framework-5.3.46
Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.21
Spring LDAP (NES): 2.4.4-spring-ldap-2.4.7

5.7.19

Released on May 20, 2025

Full Version:

5.7.14-spring-security-5.7.19

Dependency Upgrades

Spring Framework (NES): 5.3.39-spring-framework-5.3.46
Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.21

4.2.26

Released on May 20, 2025

Full Version:

4.2.20-spring-security-4.2.26

Dependency Upgrades

Spring Framework (NES): 4.3.30-spring-framework-4.3.34

April 2025

4.2.25

Released on Apr 30, 2025

CVE-2025-22234

Full Version:

4.2.20-spring-security-4.2.25

Bug Fixes

This patches the bug in Spring Security where the maximum password length enforced in the BCryptPasswordEncoder (patch for CVE-20225-22228) breaks timing attack mitigation in the DaoAuthenticationProvider (CVE-2025-22234).
- org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.25

5.8.21

Released on Apr 23, 2025

CVE-2025-22234

Full Version:

5.8.16-spring-security-5.8.21

Bug Fixes

This patches the bug in Spring Security where the maximum password length enforced in the BCryptPasswordEncoder (patch for CVE-20225-22228) breaks timing attack mitigation in the DaoAuthenticationProvider (CVE-2025-22234).
- org.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.21

5.7.18

Released on Apr 23, 2025

CVE-2025-22234

Full Version:

5.7.14-spring-security-5.7.18

Bug Fixes

This patches the bug in Spring Security where the maximum password length enforced in the BCryptPasswordEncoder breaks timing attack mitigation in the DaoAuthenticationProvider (CVE-2025-22234).
- org.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.18

March 2025

5.8.20

Released on Mar 20, 2025

CVE-2025-22228

Full Version:

5.8.16-spring-security-5.8.20

Bug Fixes

This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
- org.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.20

5.7.17

Released on Mar 20, 2025

CVE-2025-22228

Full Version:

5.7.14-spring-security-5.7.17

Bug Fixes

This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
- org.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.17

4.2.24

Released on Mar 20, 2025

CVE-2025-22228

Full Version:

4.2.20-spring-security-4.2.24

Bug Fixes

This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
- org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.24

5.8.19

Released on Mar 6, 2025

Full Version:

5.8.16-spring-security-5.8.19

Notes

Spring Security's artifacts include LICENSE and NOTICE files in the META-INF directory.

February 2025

5.8.18

Released on Feb 24, 2025

Full Version:

5.8.16-spring-security-5.8.18

Notes

Publish Spring Security under the org.springframework.security group ID instead of com.herodevs.nes.springframework.security

Dependency Upgrades

Spring Framework (NES): 5.3.39-spring-framework-5.3.45
Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.20
Spring LDAP (NES): 2.4.4-spring-ldap-2.4.6

5.7.16

Released on Feb 24, 2025

Full Version:

5.7.14-spring-security-5.7.16

Notes

Publish Spring Security under the org.springframework.security group ID instead of com.herodevs.nes.springframework.security

Dependency Upgrades

Spring Framework (NES): 5.3.39-spring-framework-5.3.45
Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.20
Spring LDAP (NES): 2.4.4-spring-ldap-2.4.6

4.2.23

Released on Feb 24, 2025

Full Version:

4.2.20-spring-security-4.2.23

Notes

Publish Spring Security under the org.springframework.security group ID instead of com.herodevs.nes.springframework.security

Dependency Upgrades

Spring Framework (NES): 4.3.30-spring-framework-4.3.33

December 2024

4.2.22

Released on Dec 18, 2024

Full Version:

4.2.20-spring-security-4.2.22

Bug Fixes

This release patches the following:
- Changing SecurityContext More Than Once in Single Request Can Fail to Save (CVE-2021-22112).
  - com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Authorization Bypass in RegexRequestMatcher (CVE-2022-22978).
  - com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Possible Broken Access Control in Spring Security With Direct Use of AuthenticatedVoter (CVE-2024-22257).
  - com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
- Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
  - com.herodevs.nes.springframework.security:spring-security-cas:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-config:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-ldap:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-taglibs:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22

Notes

Spring Security 4.2.22 NES release updates Spring Framework to NES version 4.3.32.

November 2024

5.8.17

Released on Nov 19, 2024

CVE-2024-38827

Full Version:

5.8.16-spring-security-5.8.17

Bug Fixes

This patches the Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
- com.herodevs.nes.springframework.security:spring-security-cas:5.8.16-spring-security-5.8.17
- com.herodevs.nes.springframework.security:spring-security-config:5.8.16-spring-security-5.8.17
- com.herodevs.nes.springframework.security:spring-security-core:5.8.16-spring-security-5.8.17
- com.herodevs.nes.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.17
- com.herodevs.nes.springframework.security:spring-security-data:5.8.16-spring-security-5.8.17
- com.herodevs.nes.springframework.security:spring-security-ldap:5.8.16-spring-security-5.8.17
- com.herodevs.nes.springframework.security:spring-security-oauth2-client:5.8.16-spring-security-5.8.17
- com.herodevs.nes.springframework.security:spring-security-taglibs:5.8.16-spring-security-5.8.17
- com.herodevs.nes.springframework.security:spring-security-web:5.8.16-spring-security-5.8.17

5.7.15

Released on Nov 19, 2024

CVE-2024-38827

Full Version:

5.7.14-spring-security-5.7.15

Bug Fixes

This patches the Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
- com.herodevs.nes.springframework.security:spring-security-cas:5.7.14-spring-security-5.7.15
- com.herodevs.nes.springframework.security:spring-security-config:5.7.14-spring-security-5.7.15
- com.herodevs.nes.springframework.security:spring-security-core:5.7.14-spring-security-5.7.15
- com.herodevs.nes.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.15
- com.herodevs.nes.springframework.security:spring-security-data:5.7.14-spring-security-5.7.15
- com.herodevs.nes.springframework.security:spring-security-ldap:5.7.14-spring-security-5.7.15
- com.herodevs.nes.springframework.security:spring-security-oauth2-client:5.7.14-spring-security-5.7.15
- com.herodevs.nes.springframework.security:spring-security-taglibs:5.7.14-spring-security-5.7.15
- com.herodevs.nes.springframework.security:spring-security-web:5.7.14-spring-security-5.7.15

4.2.21

Released on Nov 7, 2024

Full Version:

4.2.20-spring-security-4.2.21

Notes

This is the initial release of Spring Security 4.2.20 from the open‑source Spring Security repository forked by HeroDevs.
This release contains no functional changes from Spring Security 4.2.20. Full Version: 4.2.20-spring-security-4.2.21

October 2024

5.8.16

Released on Oct 29, 2024

CVE-2024-38821

Full Version:

5.8.15-spring-security-5.8.16

Bug Fixes

This patches the Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
- com.herodevs.nes.springframework.security:spring-security-web:5.8.15-spring-security-5.8.16

5.7.14

Released on Oct 29, 2024

CVE-2024-38821

Full Version:

5.7.13-spring-security-5.7.14

Bug Fixes

This patches the Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
- com.herodevs.nes.springframework.security:spring-security-web:5.7.13-spring-security-5.7.14

September 2024

5.8.15

Released on Sep 20, 2024

Full Version:

5.8.14-spring-security-5.8.15

Notes

This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version 5.8.14.
Includes other modifications implemented by HeroDevs to ensure successful library builds. Full Version: 5.8.14-spring-security-5.8.15

August 2024

5.7.13

Released on Aug 26, 2024

Full Version:

5.7.12-spring-security-5.7.13

Notes

This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version 5.7.12.
Includes other modifications implemented by HeroDevs to ensure successful library builds.
Spring Security 5.7.12 includes Spring Framework 5.3.29. This release updates Spring Framework to NES version 5.3.40 which is equivalent to the original Spring Framework 5.3.39. For reference, here is a list of all included updates from Spring Framework included here:
- v5.3.30
- v5.3.31
- v5.3.32
- v5.3.33
- v5.3.34
- v5.3.35
- v5.3.36
- v5.3.37
- v5.3.38
- v5.3.39Full Version: 5.7.12-spring-security-5.7.13

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team