Visit NES for Spring Home Page
Spring Security Release Notes
8 versions
Release notes for Spring Security
Oct 23, 2025
Latest: 4.2.28
16 Patched CVEs
October 2025
4.2.28
Released on Oct 23, 2025 Full Version:
4.2.20-spring-security-4.2.28
Dependency Upgrades
- Spring Framework (NES)
4.3.30-spring-framework-4.3.36
August 2025
4.2.27
Released on Aug 22, 2025 Full Version:
4.2.20-spring-security-4.2.27
Dependency Upgrades
- Spring Framework (NES)
4.3.30-spring-framework-4.3.35
May 2025
4.2.26
Released on May 20, 2025 Full Version:
4.2.20-spring-security-4.2.26
Dependency Upgrades
- Spring Framework (NES):
4.3.30-spring-framework-4.3.34
April 2025
4.2.25
Released on Apr 30, 2025 Full Version:
4.2.20-spring-security-4.2.25
Bug Fixes
- This patches the bug in Spring Security where the maximum password length enforced in the
BCryptPasswordEncoder(patch for CVE-20225-22228) breaks timing attack mitigation in theDaoAuthenticationProvider(CVE-2025-22234).org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.25
March 2025
4.2.24
Released on Mar 20, 2025 Full Version:
4.2.20-spring-security-4.2.24
Bug Fixes
- This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.24
February 2025
4.2.23
Released on Feb 24, 2025 Full Version:
4.2.20-spring-security-4.2.23
Notes
- Publish Spring Security under the
org.springframework.securitygroup ID instead ofcom.herodevs.nes.springframework.security
Dependency Upgrades
- Spring Framework (NES):
4.3.30-spring-framework-4.3.33
December 2024
4.2.22
Released on Dec 18, 2024 Full Version:
4.2.20-spring-security-4.2.22
Bug Fixes
- This release patches the following:
- Changing SecurityContext More Than Once in Single Request Can Fail to Save (CVE-2021-22112).
com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Authorization Bypass in RegexRequestMatcher (CVE-2022-22978).
com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Possible Broken Access Control in Spring Security With Direct Use of AuthenticatedVoter (CVE-2024-22257).
com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
- Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
com.herodevs.nes.springframework.security:spring-security-cas:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-config:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-ldap:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-taglibs:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Changing SecurityContext More Than Once in Single Request Can Fail to Save (CVE-2021-22112).
Notes
- Spring Security
4.2.22NES release updates Spring Framework to NES version4.3.32.
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh