Visit NES for Spring Home Page

Spring Security Release Notes

5 versions

Release notes for Spring Security

Oct 24, 2025
Latest: 6.2.13
16 Patched CVEs

October 2025

6.2.13

Released on Oct 24, 2025
Full Version:
6.2.8-spring-security-6.2.13

Dependency Upgrades

  • Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.16
  • Spring Framework (NES) 6.1.21-spring-framework-6.1.25
  • Spring LDAP (NES) 3.2.13-spring-ldap-3.2.17

September 2025

6.2.12

Released on Sep 23, 2025
Full Version:
6.2.8-spring-security-6.2.12

Dependency Upgrades

  • Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.15
  • Spring Framework (NES) 6.1.21-spring-framework-6.1.24
  • Spring LDAP (NES) 3.2.13-spring-ldap-3.2.16

August 2025

6.2.11

Released on Aug 22, 2025
Full Version:
6.2.8-spring-security-6.2.11

Dependency Upgrades

  • Spring Framework (NES) 6.1.21-spring-framework-6.1.23

July 2025

6.2.10

Released on Jul 15, 2025
Full Version:
6.2.8-spring-security-6.2.10

Dependency Upgrades

  • Spring Data BOM (NES) 2023.1.12-spring-data-bom-2023.1.13
  • Spring Framework (NES) 6.1.21-spring-framework-6.1.22
  • Spring LDAP (NES) 3.2.13-spring-ldap-3.2.14

May 2025

6.2.9

Released on May 27, 2025
Full Version:
6.2.8-spring-security-6.2.9

Bug Fixes

  • This release patches the following:
    • CVE-2025-22234: Maximum password length enforced in the BCryptPasswordEncoder (patch for CVE-20225-22228) breaks timing attack mitigation in the DaoAuthenticationProvider.
      • org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9
    • CVE-2025-22228: Maximum password length is not enforced in BCryptPasswordEncoder
      • org.springframework.security:spring-security-crypto:6.2.8-spring-security-6.2.9

Notes

  • This release originates from the open‑source Spring Security repository forked by HeroDevs starting with version 6.2.8.
  • Includes other modifications implemented by HeroDevs to ensure successful library builds.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.