Visit NES for Spring Home Page
Spring Web Services 3.1.x Release Notes
10 versions
Comprehensive release notes and changelog for Spring Web Services 3.1.x, including security patches, bug fixes, and feature updates across all supported versions.
June 2026
3.1.18
Released Jun 15, 2026 Full Version:
3.1.8-spring-ws-3.1.18
Bug Fixes
- Fixed
Wss4jSecurityInterceptorto initialize inbound validation with BSP enforcement enabled, restoring the WS-I Basic Security Profile protections that were disabled by default against malformed and downgrade-attack WS-Security messages (CVE-2026-40994). - Fixed
X509AuthenticationProviderto apply Spring Security's account lifecycle checks, preventing disabled, locked, expired, or credential-expired accounts from authenticating via mutual TLS or certificate-based SOAP (CVE-2026-40995). - Changed
Wss4jSecurityInterceptorto no longer defaultallowRSA15KeyTransportAlgorithmto true, so inbound WS-Security decryption no longer accepts weak RSA PKCS#1 v1.5 encrypted key material unless explicitly enabled (CVE-2026-40996). - Stopped
SpringSecurityUtils.checkUserValidityfrom embedding fullUserDetailsstate in thrown exception messages, closing an account-state information leak through SOAP authentication failures (CVE-2026-40997). - Fixed
Jaxp13XPathTemplateto evaluate XPath using spring-xml's hardened parsers, closing an XML External Entity (XXE) processing vulnerability on stream and SAX XPath sources (CVE-2026-40998). - Fixed Spring WS to treat
wsa:ReplyToandwsa:FaultTodestinations as peer-supplied, preventing Server-Side Request Forgery against internal hosts and cloud metadata endpoints via outbound reply delivery (CVE-2026-40999). - Wired Apache WSS4J
ReplayCacheinstances into validationRequestData, so UsernameToken nonces, WS-Security timestamps, and SAML constructs are subject to replay enforcement (CVE-2026-41000).
Dependency Upgrades
- Spring Framework (NES)
5.3.39-spring-framework-5.3.52 - Spring Security (NES)
5.7.14-spring-security-5.7.25
April 2026
3.1.17
Released Apr 28, 2026 Full Version:
3.1.8-spring-ws-3.1.17
Dependency Upgrades
- Spring Framework (NES)
5.3.39-spring-framework-5.3.51 - Spring Security (NES)
5.7.14-spring-security-5.7.24
March 2026
3.1.16
Released Mar 25, 2026 Full Version:
3.1.8-spring-ws-3.1.16
Dependency Upgrades
- Spring Framework (NES)
5.3.39-spring-framework-5.3.50
October 2025
3.1.15
Released Oct 23, 2025 Full Version:
3.1.8-spring-ws-3.1.15
Dependency Upgrades
- Spring Framework (NES)
5.3.39-spring-framework-5.3.49 - Spring Security (NES)
5.7.14-spring-security-5.7.22
September 2025
3.1.14
Released Sep 23, 2025 Full Version:
3.1.8-spring-ws-3.1.14
Dependency Upgrades
- Spring Framework (NES)
5.3.39-spring-framework-5.3.48 - Spring Security (NES)
5.7.14-spring-security-5.7.21
August 2025
3.1.13
Released Aug 25, 2025 Full Version:
3.1.8-spring-ws-3.1.13
Dependency Upgrades
- Spring Framework (NES)
5.3.39-spring-framework-5.3.47 - Spring Security (NES)
5.7.14-spring-security-5.7.20
May 2025
3.1.12
Released May 19, 2025 Full Version:
3.1.8-spring-ws-3.1.12
Dependency Upgrades
- Spring Framework (NES):
5.3.39-spring-framework-5.3.46
March 2025
February 2025
3.1.10
Released Feb 24, 2025 Full Version:
3.1.8-spring-ws-3.1.10
Notes
- Publish Spring WS under the
org.springframework.wsgroup ID instead ofcom.herodevs.nes.springframework.ws
Dependency Upgrades
- Spring Framework (NES):
5.3.39-spring-framework-5.3.45
October 2024
3.1.9
Released Oct 15, 2024 Full Version:
3.1.8-spring-ws-3.1.9
Notes
- This release originates from the open‑source Spring Web Services (Spring-WS) repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful library builds. This release contains no functional changes from Spring WS
3.1.8. Full Version:3.1.8-spring-ws-3.1.9
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh