This Week in Spring - Spring Boot 4 edition! - November 25th, 2025

Hi, Spring fans! Welcome to another illustrious installment of This Week in Spring! It’s Thanksgiving week here in the United States. Thanksgiving is traditionally celebrated with friends and family every fourth Thursday of November, gathered around a table full of food and, usually, a giant...

Spring Framework 5.3.x < 5.3.46 / 6.1.x < 6.1.24 / 6.2.x < 6.2.12 STOMP CSRF (CVE-2025-41254)

The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.46, 6.1.x prior to 6.1.24, or 6.2.x prior to 6.2.12. It is, therefore, affected by a STOMP CSRF vulnerability: - STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to...

A Bootiful Podcast: The legendary Sébastien Deleuze on all that's new and nice in Spring Framework 7

Hi, Spring fans! Happy Spring Boot 4.0 release day! Make sure to get the bits on the Spring Initializr you know - start.spring.io! This release is packed with new features, a lot of which comes from Spring Framework 7. To help break it down for us this week, we’re joined by none other than the...

Security Bulletin: Logback-Core ≤1.5.18 Conditional Config Processing Flaw Enables ACE via Malicious Config or Env Variable

Summary ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before...

This Week in Spring - November 18th, 2025

This Week in Spring - November 18th, 2025 Hi, Spring fans! I'm thrilled to be in New York City for an exciting week of joint presentations on Spring AI + Bedrock and Spring Boot with the legendary James Ward. First up: we'll present a workshop at the AI Native Dev Conf today, then speak at the...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Path Traversal Vulnerability in Spring Framework [CVE-2025-41242]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Path Traversal Vulnerability in Spring Framework when deployed on a non-compliant Servlet container CVE-2025-41242. Spring Framework is used as part of our java microservices. This vulnerabilitiy has been addressed. Please read the...

Spring gRPC Next Steps for 1.0.0

This is a new blog post in the Road to GA series, this time updating everyone on the plans to integrate Spring gRPC with Spring Boot 4. The original plan was to move the autoconfiguration from Spring gRPC into Spring Boot in time for the 4.0 release. Unfortunately we haven't been able to find the...

This Week in Spring - November 4th, 2025

Hi, Spring fans! Welcome to another all-out installment of This Week in Spring wherein we attempt to recap all that's new and novel in the wild, wacky, and wonderful world of Springdom. And this week, I'm doing so from an airport in Switzerland, en route to Malmo, Sweden, for the amazing Oredev...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2024-38828,CVE-2024-38820)

Summary Spring MVC controller vulnerable to a DoS attack and DataBinder Case Sensitive Match Exception. These vulnerabilities were remediated. Vulnerability Details CVEID:CVE-2024-38828 DESCRIPTION: Spring MVC controller methods with an @RequestBody byte method parameter are vulnerable to a DoS...

Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities

Summary IBM Guardium Data Security Center has addressed these vulnerabilties with an update. Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized...

This Week in Spring - October 28th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's a wonderful tuesday here in my home town of San Francisco as I write this from my condo's balcony, fresh off more than three weeks on the road. By the time we'll speak again in a week, Halloween will have come and gone...

Security Bulletin: Reflected File Download (RFD) Vulnerability in Spring Framework Content-Disposition Header Handling (CWE-113), which affects IBM watsonx.data

Summary A Reflected File Download RFD vulnerability has been identified in VMware Spring Framework versions 6.0.5 to 6.2.7. The issue arises when an application sets a Content-Disposition response header using ContentDisposition.BuilderfilenameString, Charset with a non-ASCII charset and...

Linux Distros Unpatched Vulnerability : CVE-2025-41254

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and...

VMware Spring Framework < 5.3.46, 6.0.x < 6.1.24, 6.2.x < 6.2.12 CSRF Vulnerability - Linux

The VMware Spring Framework is prone to a STOMP cross-site request forgery CSRF vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...

VMware Spring Framework < 5.3.46, 6.0.x < 6.1.24, 6.2.x < 6.2.12 CSRF Vulnerability - Windows

The VMware Spring Framework is prone to a STOMP cross-site request forgery CSRF vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...

Security Bulletin: vulerability in IBM Spectrum Symphony with spring webmvc

Summary vulerability in IBM Spectrum Symphony with spring webmvc Vulnerability Details CVEID:CVE-2024-38819 DESCRIPTION: Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HT...

Security Bulletin: IBM Content Navigator consumes vulnerable spring framework library

Summary A bypass vulnerability where, despite CVE-2024-38820 ensuring Locale-independent lowercase conversion for disallowedFields patterns and request parameter names, there are still cases where it is possible to bypass the disallowedFields checks . Vulnerability Details CVEID:CVE-2025-22233...

Security Bulletin: IBM Content Navigator consumes vulnerable spring framework library

Summary Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions. A vulnerability where the fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive, but String.toLowerCase has Locale-dependent exceptions that could potentially result in...

Security Bulletin: IBM Content Navigator consumes vulnerable spring framework library

Summary Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions. The vulnerability involves case-sensitive patterns for disallowedFields on a DataBinder, meaning a field is not effectively protected unless it is listed with both upper and lower case for the first...

Security Bulletin: IBM Content Navigator consumes vulnerable spring framework library

Summary Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions. The vulnerability involves another data bypass issue relaed to data binding field protection Vulnerability Details CVEID:CVE-2025-22233 DESCRIPTION: CVE-2024-38820 ensured Locale-independent, lowerca...