Visit NES for Spring Home Page

Spring Security 5.7.x Release Notes

13 versions

Comprehensive release notes and changelog for Spring Security 5.7.x, including security patches, bug fixes, and feature updates across all supported versions.

Jun 15, 2026
Latest: 5.7.25
75 Patched Vulnerabilities
VEX Statements

June 2026

Full Version:
5.7.14-spring-security-5.7.25

Bug Fixes

  • Capped the inflated size of compressed SAML 2.0 REDIRECT-binding payloads in Saml2Utils, preventing an unauthenticated attacker from exhausting server memory (CVE-2026-40988).
  • Hardened the SAML 2.0 filters to route generated HTML forms through FormPostRedirectStrategy, preventing arbitrary code execution via attacker-influenced RelyingPartyRegistration values (CVE-2026-41003).
  • Reworked SAML login and logout validation so signature validation gates decryption, closing a decryption-oracle weakness in the OpenSAML authentication and logout providers (CVE-2026-41694).
  • Fixed an open-redirect vulnerability in CookieRequestCache and CookieServerRequestCache, which stored and used an unvalidated absolute redirect URL; saved requests now favor relative URIs (CVE-2026-41706).
  • Tightened Subject DN parsing in the deprecated SubjectDnX509PrincipalExtractor, preventing a crafted X.509 client certificate from authenticating as another user (CVE-2026-47838).

Dependency Upgrades

  • Spring Framework (NES) 5.3.39-spring-framework-5.3.52

April 2026

5.7.24

Released Apr 23, 2026
Full Version:
5.7.14-spring-security-5.7.24

Bug Fixes

  • Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).

Dependency Upgrades

  • Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.21
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.51
  • Spring LDAP (NES) 2.4.4-spring-ldap-2.4.12

March 2026

5.7.23

Released Mar 23, 2026
Full Version:
5.7.14-spring-security-5.7.23

Bug Fixes

  • Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

  • Spring Framework (NES) 5.3.39-spring-framework-5.3.50

October 2025

5.7.22

Released Oct 23, 2025
Full Version:
5.7.14-spring-security-5.7.22

Dependency Upgrades

  • Spring Framework (NES) 5.3.39-spring-framework-5.3.49

September 2025

5.7.21

Released Sep 23, 2025
Full Version:
5.7.14-spring-security-5.7.21

Dependency Upgrades

  • Spring Framework (NES) 5.3.39-spring-framework-5.3.48

August 2025

5.7.20

Released Aug 25, 2025
Full Version:
5.7.14-spring-security-5.7.20

Dependency Upgrades

  • Spring Data BOM (NES) 2021.2.18-spring-data-bom-2021.2.22
  • Spring Framework (NES) 5.3.39-spring-framework-5.3.47
  • Spring LDAP (NES) 2.4.4-spring-ldap-2.4.8

May 2025

5.7.19

Released May 20, 2025
Full Version:
5.7.14-spring-security-5.7.19

Dependency Upgrades

  • Spring Framework (NES): 5.3.39-spring-framework-5.3.46
  • Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.21

April 2025

5.7.18

Released Apr 23, 2025
Full Version:
5.7.14-spring-security-5.7.18

Bug Fixes

  • This patches the bug in Spring Security where the maximum password length enforced in the BCryptPasswordEncoder breaks timing attack mitigation in the DaoAuthenticationProvider (CVE-2025-22234).
    • org.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.18

March 2025

5.7.17

Released Mar 20, 2025
Full Version:
5.7.14-spring-security-5.7.17

Bug Fixes

  • This patches the bug in Spring Security BCryptPasswordEncoder where maximum password length is not enforced (CVE-2025-22228).
    • org.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.17

February 2025

5.7.16

Released Feb 24, 2025
Full Version:
5.7.14-spring-security-5.7.16

Notes

  • Publish Spring Security under the org.springframework.security group ID instead of com.herodevs.nes.springframework.security

Dependency Upgrades

  • Spring Framework (NES): 5.3.39-spring-framework-5.3.45
  • Spring Data BOM (NES): 2021.2.18-spring-data-bom-2021.2.20
  • Spring LDAP (NES): 2.4.4-spring-ldap-2.4.6

November 2024

5.7.15

Released Nov 19, 2024
Full Version:
5.7.14-spring-security-5.7.15

Bug Fixes

  • This patches the Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
    • com.herodevs.nes.springframework.security:spring-security-cas:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-config:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-core:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-crypto:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-data:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-ldap:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-oauth2-client:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-taglibs:5.7.14-spring-security-5.7.15
    • com.herodevs.nes.springframework.security:spring-security-web:5.7.14-spring-security-5.7.15

October 2024

5.7.14

Released Oct 29, 2024
Full Version:
5.7.13-spring-security-5.7.14

Bug Fixes

  • This patches the Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
    • com.herodevs.nes.springframework.security:spring-security-web:5.7.13-spring-security-5.7.14

August 2024

5.7.13

Released Aug 26, 2024
Full Version:
5.7.12-spring-security-5.7.13

Notes

  • This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version 5.7.12.
  • Includes other modifications implemented by HeroDevs to ensure successful library builds.
  • Spring Security 5.7.12 includes Spring Framework 5.3.29. This release updates Spring Framework to NES version 5.3.40 which is equivalent to the original Spring Framework 5.3.39. For reference, here is a list of all included updates from Spring Framework included here:
    • v5.3.30
    • v5.3.31
    • v5.3.32
    • v5.3.33
    • v5.3.34
    • v5.3.35
    • v5.3.36
    • v5.3.37
    • v5.3.38
    • v5.3.39Full Version: 5.7.12-spring-security-5.7.13

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.