HeroDevs

Visit NES for Spring Home Page

Spring Security 5.5.x Release Notes

1 version

Comprehensive release notes and changelog for Spring Security 5.5.x, including security patches, bug fixes, and feature updates across all supported versions.

Mar 11, 2026

Latest: 5.5.9

22 Patched Vulnerabilities

March 2026

5.5.9

Released last Wednesday

1 More

Full Version:

5.5.8-spring-security-5.5.9

Bug Fixes

This release patches the following:
- Maximum password length enforced in BCryptPasswordEncoder (patch for CVE-2025-22228) breaks timing attack mitigation in DaoAuthenticationProvider (CVE-2025-22234).
- BCryptPasswordEncoder maximum password length is not enforced (CVE-2025-22228).
- Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
- Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
- Possible Broken Access Control With Direct Use of AuthenticatedVoter (CVE-2024-22257).
- Privilege Escalation in OAuth2 Client (CVE-2022-31690).

Notes

This release originates from the open‑source Spring Security repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Security 5.5.8.

Dependency Upgrades

Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.13
Spring Framework (NES) 5.3.39-spring-framework-5.3.49
Spring LDAP (NES) 2.3.8-spring-ldap-2.3.9

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team