Visit NES for Spring Home Page
Spring Web Services 2.4.x Release Notes
8 versions
Comprehensive release notes and changelog for Spring Web Services 2.4.x, including security patches, bug fixes, and feature updates across all supported versions.
June 2026
2.4.15
Released Jun 15, 2026 Full Version:
2.4.7-spring-ws-2.4.15
Bug Fixes
- Fixed
Wss4jSecurityInterceptorto initialize inbound validation with BSP enforcement enabled, restoring the WS-I Basic Security Profile protections that were disabled by default against malformed and downgrade-attack WS-Security messages (CVE-2026-40994). - Fixed
X509AuthenticationProviderto apply Spring Security's account lifecycle checks, preventing disabled, locked, expired, or credential-expired accounts from authenticating via mutual TLS or certificate-based SOAP (CVE-2026-40995). - Changed
Wss4jSecurityInterceptorto no longer defaultallowRSA15KeyTransportAlgorithmto true, so inbound WS-Security decryption no longer accepts weak RSA PKCS#1 v1.5 encrypted key material unless explicitly enabled (CVE-2026-40996). - Stopped
SpringSecurityUtils.checkUserValidityfrom embedding fullUserDetailsstate in thrown exception messages, closing an account-state information leak through SOAP authentication failures (CVE-2026-40997). - Fixed
Jaxp13XPathTemplateto evaluate XPath using spring-xml's hardened parsers, closing an XML External Entity (XXE) processing vulnerability on stream and SAX XPath sources (CVE-2026-40998). - Fixed Spring WS to treat
wsa:ReplyToandwsa:FaultTodestinations as peer-supplied, preventing Server-Side Request Forgery against internal hosts and cloud metadata endpoints via outbound reply delivery (CVE-2026-40999). - Wired Apache WSS4J
ReplayCacheinstances into validationRequestData, so UsernameToken nonces, WS-Security timestamps, and SAML constructs are subject to replay enforcement (CVE-2026-41000).
Dependency Upgrades
- Spring Framework (NES)
4.3.30-spring-framework-4.3.39 - Spring Security (NES)
4.2.20-spring-security-4.2.31
April 2026
2.4.14
Released Apr 28, 2026 Full Version:
2.4.7-spring-ws-2.4.14
Dependency Upgrades
- Spring Framework (NES)
4.3.30-spring-framework-4.3.38 - Spring Security (NES)
4.2.20-spring-security-4.2.30
March 2026
2.4.13
Released Mar 26, 2026 Full Version:
2.4.7-spring-ws-2.4.13
Dependency Upgrades
- Spring Framework (NES)
4.3.30-spring-framework-4.3.37 - Spring Security (NES)
4.2.20-spring-security-4.2.29
October 2025
2.4.12
Released Oct 23, 2025 Full Version:
2.4.7-spring-ws-2.4.12
Dependency Upgrades
- Spring Framework (NES)
4.3.30-spring-framework-4.3.36 - Spring Security (NES)
4.2.20-spring-security-4.2.28
August 2025
2.4.11
Released Aug 22, 2025 Full Version:
2.4.7-spring-ws-2.4.11
Dependency Upgrades
- Spring Framework (NES)
4.3.30-spring-framework-4.3.35
May 2025
2.4.10
Released May 21, 2025 Full Version:
2.4.7-spring-ws-2.4.10
Dependency Upgrades
- Spring Framework (NES):
4.3.30-spring-framework-4.3.34 - Spring Security (NES):
4.2.20-spring-security-4.2.26
February 2025
January 2024
2.4.8
Released Jan 21, 2024 Full Version:
2.4.7-spring-ws-2.4.8
Notes
- This release originates from the open‑source Spring Web Services (Spring-WS) repository version
2.4.7.RELEASE. forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful library builds. This release contains no functional changes from Spring WS2.4.7.RELEASE. Full Version:2.4.7-spring-ws-2.4.8
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh