Visit NES for Spring Home Page
Spring Security Release Notes
5 versions
Release notes for Spring Security
Oct 24, 2025
Latest: 6.2.13
16 Patched CVEs
October 2025
6.2.13
Released on Oct 24, 2025 Full Version:
6.2.8-spring-security-6.2.13
Dependency Upgrades
- Spring Data BOM (NES)
2023.1.12-spring-data-bom-2023.1.16 - Spring Framework (NES)
6.1.21-spring-framework-6.1.25 - Spring LDAP (NES)
3.2.13-spring-ldap-3.2.17
September 2025
6.2.12
Released on Sep 23, 2025 Full Version:
6.2.8-spring-security-6.2.12
Dependency Upgrades
- Spring Data BOM (NES)
2023.1.12-spring-data-bom-2023.1.15 - Spring Framework (NES)
6.1.21-spring-framework-6.1.24 - Spring LDAP (NES)
3.2.13-spring-ldap-3.2.16
August 2025
6.2.11
Released on Aug 22, 2025 Full Version:
6.2.8-spring-security-6.2.11
Dependency Upgrades
- Spring Framework (NES)
6.1.21-spring-framework-6.1.23
July 2025
6.2.10
Released on Jul 15, 2025 Full Version:
6.2.8-spring-security-6.2.10
Dependency Upgrades
- Spring Data BOM (NES)
2023.1.12-spring-data-bom-2023.1.13 - Spring Framework (NES)
6.1.21-spring-framework-6.1.22 - Spring LDAP (NES)
3.2.13-spring-ldap-3.2.14
May 2025
6.2.9
Released on May 27, 2025 Full Version:
6.2.8-spring-security-6.2.9
Bug Fixes
- This release patches the following:
- CVE-2025-22234: Maximum password length enforced in the
BCryptPasswordEncoder(patch for CVE-20225-22228) breaks timing attack mitigation in theDaoAuthenticationProvider.org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9
- CVE-2025-22228: Maximum password length is not enforced in
BCryptPasswordEncoderorg.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9
- CVE-2025-22234: Maximum password length enforced in the
Notes
- This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version
6.2.8. - Includes other modifications implemented by HeroDevs to ensure successful library builds.
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh