Visit NES for Spring Home Page
Spring Security 4.2.x Release Notes
8 versions
Comprehensive release notes and changelog for Spring Security 4.2.x, including security patches, bug fixes, and feature updates across all supported versions.
October 2025
4.2.28
Released on Oct 23, 2025 Full Version:
4.2.20-spring-security-4.2.28
Dependency Upgrades
- Spring Framework (NES)
4.3.30-spring-framework-4.3.36
August 2025
4.2.27
Released on Aug 22, 2025 Full Version:
4.2.20-spring-security-4.2.27
Dependency Upgrades
- Spring Framework (NES)
4.3.30-spring-framework-4.3.35
May 2025
4.2.26
Released on May 20, 2025 Full Version:
4.2.20-spring-security-4.2.26
Dependency Upgrades
- Spring Framework (NES):
4.3.30-spring-framework-4.3.34
April 2025
4.2.25
Released on Apr 30, 2025 Full Version:
4.2.20-spring-security-4.2.25
Bug Fixes
- This patches the bug in Spring Security where the maximum password length enforced in the
BCryptPasswordEncoder(patch for CVE-20225-22228) breaks timing attack mitigation in theDaoAuthenticationProvider(CVE-2025-22234).org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.25
March 2025
4.2.24
Released on Mar 20, 2025 Full Version:
4.2.20-spring-security-4.2.24
Bug Fixes
- This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.24
February 2025
4.2.23
Released on Feb 24, 2025 Full Version:
4.2.20-spring-security-4.2.23
Notes
- Publish Spring Security under the
org.springframework.securitygroup ID instead ofcom.herodevs.nes.springframework.security
Dependency Upgrades
- Spring Framework (NES):
4.3.30-spring-framework-4.3.33
December 2024
4.2.22
Released on Dec 18, 2024 Full Version:
4.2.20-spring-security-4.2.22
Bug Fixes
- This release patches the following:
- Changing SecurityContext More Than Once in Single Request Can Fail to Save (CVE-2021-22112).
com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Authorization Bypass in RegexRequestMatcher (CVE-2022-22978).
com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Possible Broken Access Control in Spring Security With Direct Use of AuthenticatedVoter (CVE-2024-22257).
com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
- Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
com.herodevs.nes.springframework.security:spring-security-cas:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-config:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-ldap:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-taglibs:4.2.20-spring-security-4.2.22com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Changing SecurityContext More Than Once in Single Request Can Fail to Save (CVE-2021-22112).
Notes
- Spring Security
4.2.22NES release updates Spring Framework to NES version4.3.32.
November 2024
4.2.21
Released on Nov 7, 2024 Full Version:
4.2.20-spring-security-4.2.21
Notes
- This is the initial release of Spring Security
4.2.20from the open‑source Spring Security repository forked by HeroDevs. - This release contains no functional changes from Spring Security
4.2.20. Full Version:4.2.20-spring-security-4.2.21
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh