Visit NES for Spring Home Page
Spring Security Release Notes
11 versions
Release notes for Spring Security
Oct 23, 2025
Latest: 5.8.25
16 Patched CVEs
October 2025
5.8.25
Released on Oct 23, 2025 Full Version:
5.8.16-spring-security-5.8.25
Dependency Upgrades
- Spring Data BOM (NES)
2021.2.18-spring-data-bom-2021.2.24 - Spring Framework (NES)
5.3.39-spring-framework-5.3.49 - Spring LDAP (NES)
2.4.4-spring-ldap-2.4.10
September 2025
5.8.24
Released on Sep 23, 2025 Full Version:
5.8.16-spring-security-5.8.24
Dependency Upgrades
- Spring Data BOM (NES)
2021.2.18-spring-data-bom-2021.2.23 - Spring Framework (NES)
5.3.39-spring-framework-5.3.48 - Spring LDAP (NES)
2.4.4-spring-ldap-2.4.9
August 2025
5.8.23
Released on Aug 25, 2025 Full Version:
5.8.16-spring-security-5.8.23
Dependency Upgrades
- Spring Data BOM (NES)
2021.2.18-spring-data-bom-2021.2.22 - Spring Framework (NES)
5.3.39-spring-framework-5.3.47 - Spring LDAP (NES)
2.4.4-spring-ldap-2.4.8
May 2025
5.8.22
Released on May 20, 2025 Full Version:
5.8.16-spring-security-5.8.22
Dependency Upgrades
- Spring Framework (NES):
5.3.39-spring-framework-5.3.46 - Spring Data BOM (NES):
2021.2.18-spring-data-bom-2021.2.21 - Spring LDAP (NES):
2.4.4-spring-ldap-2.4.7
April 2025
5.8.21
Released on Apr 23, 2025 Full Version:
5.8.16-spring-security-5.8.21
Bug Fixes
- This patches the bug in Spring Security where the maximum password length enforced in the
BCryptPasswordEncoder(patch for CVE-20225-22228) breaks timing attack mitigation in theDaoAuthenticationProvider(CVE-2025-22234).org.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.21
March 2025
5.8.20
Released on Mar 20, 2025 Full Version:
5.8.16-spring-security-5.8.20
Bug Fixes
- This patches the bug in Spring Security
BCryptPasswordEncoderwhere maximum password length is not enforced (CVE-2025-22228).org.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.20
February 2025
5.8.18
Released on Feb 24, 2025 Full Version:
5.8.16-spring-security-5.8.18
Notes
- Publish Spring Security under the
org.springframework.securitygroup ID instead ofcom.herodevs.nes.springframework.security
Dependency Upgrades
- Spring Framework (NES):
5.3.39-spring-framework-5.3.45 - Spring Data BOM (NES):
2021.2.18-spring-data-bom-2021.2.20 - Spring LDAP (NES):
2.4.4-spring-ldap-2.4.6
November 2024
5.8.17
Released on Nov 19, 2024 Full Version:
5.8.16-spring-security-5.8.17
Bug Fixes
- This patches the Spring Security Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
com.herodevs.nes.springframework.security:spring-security-cas:5.8.16-spring-security-5.8.17com.herodevs.nes.springframework.security:spring-security-config:5.8.16-spring-security-5.8.17com.herodevs.nes.springframework.security:spring-security-core:5.8.16-spring-security-5.8.17com.herodevs.nes.springframework.security:spring-security-crypto:5.8.16-spring-security-5.8.17com.herodevs.nes.springframework.security:spring-security-data:5.8.16-spring-security-5.8.17com.herodevs.nes.springframework.security:spring-security-ldap:5.8.16-spring-security-5.8.17com.herodevs.nes.springframework.security:spring-security-oauth2-client:5.8.16-spring-security-5.8.17com.herodevs.nes.springframework.security:spring-security-taglibs:5.8.16-spring-security-5.8.17com.herodevs.nes.springframework.security:spring-security-web:5.8.16-spring-security-5.8.17
October 2024
5.8.16
Released on Oct 29, 2024 Full Version:
5.8.15-spring-security-5.8.16
Bug Fixes
- This patches the Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
com.herodevs.nes.springframework.security:spring-security-web:5.8.15-spring-security-5.8.16
September 2024
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh