Spring Security 4.2.x Release Notes

9 versions

Comprehensive release notes and changelog for Spring Security 4.2.x, including security patches, bug fixes, and feature updates across all supported versions.

Mar 23, 2026

Latest: 4.2.29

33 Patched Vulnerabilities

VEX Statements

March 2026

4.2.29

Released Mar 23, 2026

CVE-2026-22732

Full Version:

4.2.20-spring-security-4.2.29

Bug Fixes

Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

Spring Framework (NES) 4.3.30-spring-framework-4.3.37

October 2025

4.2.28

Released Oct 23, 2025

Full Version:

4.2.20-spring-security-4.2.28

Dependency Upgrades

Spring Framework (NES) 4.3.30-spring-framework-4.3.36

August 2025

4.2.27

Released Aug 22, 2025

Full Version:

4.2.20-spring-security-4.2.27

Dependency Upgrades

Spring Framework (NES) 4.3.30-spring-framework-4.3.35

May 2025

4.2.26

Released May 20, 2025

Full Version:

4.2.20-spring-security-4.2.26

Dependency Upgrades

Spring Framework (NES): 4.3.30-spring-framework-4.3.34

April 2025

4.2.25

Released Apr 30, 2025

CVE-2025-22228

CVE-2025-22234

Full Version:

4.2.20-spring-security-4.2.25

Bug Fixes

This patches the bug in Spring Security where the maximum password length enforced in the BCryptPasswordEncoder (patch for CVE-2025-22228) breaks timing attack mitigation in the DaoAuthenticationProvider (CVE-2025-22234).
- org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.25

March 2025

4.2.24

Released Mar 20, 2025

CVE-2025-22228

Full Version:

4.2.20-spring-security-4.2.24

Bug Fixes

This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
- org.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.24

February 2025

4.2.23

Released Feb 24, 2025

Full Version:

4.2.20-spring-security-4.2.23

Notes

Publish Spring Security under the org.springframework.security group ID instead of com.herodevs.nes.springframework.security

Dependency Upgrades

Spring Framework (NES): 4.3.30-spring-framework-4.3.33

December 2024

4.2.22

Released Dec 18, 2024

Full Version:

4.2.20-spring-security-4.2.22

Bug Fixes

This release patches the following:
- Changing SecurityContext More Than Once in Single Request Can Fail to Save (CVE-2021-22112).
  - com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Authorization Bypass in RegexRequestMatcher (CVE-2022-22978).
  - com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22
- Possible Broken Access Control in Spring Security With Direct Use of AuthenticatedVoter (CVE-2024-22257).
  - com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
- Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
  - com.herodevs.nes.springframework.security:spring-security-cas:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-config:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-core:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-crypto:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-ldap:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-taglibs:4.2.20-spring-security-4.2.22
  - com.herodevs.nes.springframework.security:spring-security-web:4.2.20-spring-security-4.2.22

Notes

Spring Security 4.2.22 NES release updates Spring Framework to NES version 4.3.32.

November 2024

4.2.21

Released Nov 7, 2024

Full Version:

4.2.20-spring-security-4.2.21

Notes

This is the initial release of Spring Security 4.2.20 from the open‑source Spring Security repository forked by HeroDevs.
This release contains no functional changes from Spring Security 4.2.20. Full Version: 4.2.20-spring-security-4.2.21

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team