Visit NES for Spring Home Page

Spring Web Services 2.4.x Release Notes

8 versions

Comprehensive release notes and changelog for Spring Web Services 2.4.x, including security patches, bug fixes, and feature updates across all supported versions.

Jun 15, 2026
Latest: 2.4.15
21 Patched Vulnerabilities
VEX Statements

June 2026

Full Version:
2.4.7-spring-ws-2.4.15

Bug Fixes

  • Fixed Wss4jSecurityInterceptor to initialize inbound validation with BSP enforcement enabled, restoring the WS-I Basic Security Profile protections that were disabled by default against malformed and downgrade-attack WS-Security messages (CVE-2026-40994).
  • Fixed X509AuthenticationProvider to apply Spring Security's account lifecycle checks, preventing disabled, locked, expired, or credential-expired accounts from authenticating via mutual TLS or certificate-based SOAP (CVE-2026-40995).
  • Changed Wss4jSecurityInterceptor to no longer default allowRSA15KeyTransportAlgorithm to true, so inbound WS-Security decryption no longer accepts weak RSA PKCS#1 v1.5 encrypted key material unless explicitly enabled (CVE-2026-40996).
  • Stopped SpringSecurityUtils.checkUserValidity from embedding full UserDetails state in thrown exception messages, closing an account-state information leak through SOAP authentication failures (CVE-2026-40997).
  • Fixed Jaxp13XPathTemplate to evaluate XPath using spring-xml's hardened parsers, closing an XML External Entity (XXE) processing vulnerability on stream and SAX XPath sources (CVE-2026-40998).
  • Fixed Spring WS to treat wsa:ReplyTo and wsa:FaultTo destinations as peer-supplied, preventing Server-Side Request Forgery against internal hosts and cloud metadata endpoints via outbound reply delivery (CVE-2026-40999).
  • Wired Apache WSS4J ReplayCache instances into validation RequestData, so UsernameToken nonces, WS-Security timestamps, and SAML constructs are subject to replay enforcement (CVE-2026-41000).

Dependency Upgrades

  • Spring Framework (NES) 4.3.30-spring-framework-4.3.39
  • Spring Security (NES) 4.2.20-spring-security-4.2.31

April 2026

2.4.14

Released Apr 28, 2026
Full Version:
2.4.7-spring-ws-2.4.14

Dependency Upgrades

  • Spring Framework (NES) 4.3.30-spring-framework-4.3.38
  • Spring Security (NES) 4.2.20-spring-security-4.2.30

March 2026

2.4.13

Released Mar 26, 2026
Full Version:
2.4.7-spring-ws-2.4.13

Dependency Upgrades

  • Spring Framework (NES) 4.3.30-spring-framework-4.3.37
  • Spring Security (NES) 4.2.20-spring-security-4.2.29

October 2025

2.4.12

Released Oct 23, 2025
Full Version:
2.4.7-spring-ws-2.4.12

Dependency Upgrades

  • Spring Framework (NES) 4.3.30-spring-framework-4.3.36
  • Spring Security (NES) 4.2.20-spring-security-4.2.28

August 2025

2.4.11

Released Aug 22, 2025
Full Version:
2.4.7-spring-ws-2.4.11

Dependency Upgrades

  • Spring Framework (NES) 4.3.30-spring-framework-4.3.35

May 2025

2.4.10

Released May 21, 2025
Full Version:
2.4.7-spring-ws-2.4.10

Dependency Upgrades

  • Spring Framework (NES): 4.3.30-spring-framework-4.3.34
  • Spring Security (NES): 4.2.20-spring-security-4.2.26

February 2025

2.4.9

Released Feb 24, 2025
Full Version:
2.4.7-spring-ws-2.4.9

Notes

  • Publish Spring WS under the org.springframework.ws group ID instead of com.herodevs.nes.springframework.ws

January 2024

2.4.8

Released Jan 21, 2024
Full Version:
2.4.7-spring-ws-2.4.8

Notes

  • This release originates from the open‑source Spring Web Services (Spring-WS) repository version 2.4.7.RELEASE. forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful library builds. This release contains no functional changes from Spring WS 2.4.7.RELEASE. Full Version: 2.4.7-spring-ws-2.4.8

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.