This Week in Spring - November 10th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this I am preparing for a flight to North Carolina first in flight!. This week's going to be busy, but next week even busier still! I'll be at AI By The Bay in San Francisco, AI Native Dev Con in NYC, and QCon SF i...

LLM Response Evaluation with Spring AI: Building LLM-as-a-Judge Using Recursive Advisors

The challenge of evaluating Large Language Model LLM outputs is critical for notoriously non-deterministic AI applications, especially as they move into production. Traditional metrics like ROUGE and BLEU fall short when assessing the nuanced, contextual responses that modern LLMs produce. Human...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Path Traversal Vulnerability in Spring Framework [CVE-2025-41242]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Path Traversal Vulnerability in Spring Framework when deployed on a non-compliant Servlet container CVE-2025-41242. Spring Framework is used as part of our java microservices. This vulnerabilitiy has been addressed. Please read the...

Spring gRPC Next Steps for 1.0.0

This is a new blog post in the Road to GA series, this time updating everyone on the plans to integrate Spring gRPC with Spring Boot 4. The original plan was to move the autoconfiguration from Spring gRPC into Spring Boot in time for the 4.0 release. Unfortunately we haven't been able to find the...

Create Self-Improving AI Agents Using Spring AI Recursive Advisors

The Spring AI ChatClient offers a fluent API for communicating with an AI model. The fluent API provides methods for building the constituent parts of a prompt that gets passed to the AI model as input. Advisors are a key part of the fluent API that intercept, modify, and enhance AI-driven...

This Week in Spring - November 4th, 2025

Hi, Spring fans! Welcome to another all-out installment of This Week in Spring wherein we attempt to recap all that's new and novel in the wild, wacky, and wonderful world of Springdom. And this week, I'm doing so from an airport in Switzerland, en route to Malmo, Sweden, for the amazing Oredev...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2024-38828,CVE-2024-38820)

Summary Spring MVC controller vulnerable to a DoS attack and DataBinder Case Sensitive Match Exception. These vulnerabilities were remediated. Vulnerability Details CVEID:CVE-2024-38828 DESCRIPTION: Spring MVC controller methods with an @RequestBody byte method parameter are vulnerable to a DoS...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Spring (CVE-2025-41249)

Summary A vulnerability in Spring that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a...

Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities

Summary IBM Guardium Data Security Center has addressed these vulnerabilties with an update. Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized...

AWS Bedrock Prompt Caching Support in Spring AI

In our previous blog post about Anthropic prompt caching, we explored how prompt caching dramatically reduces API costs and latency by reusing previously processed prompt content. We introduced Spring AI's five strategic caching patterns for Anthropic Claude models and showed how they automatical...

This Week in Spring - October 28th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's a wonderful tuesday here in my home town of San Francisco as I write this from my condo's balcony, fresh off more than three weeks on the road. By the time we'll speak again in a week, Halloween will have come and gone...

Introducing Spring AI Agents and Spring AI Bench

I'd like to introduce two new projects that are part of the Spring AI Community GitHub organization: Spring AI Agents, and Spring AI Bench. These two projects focus on using agentic coding tools—tools you likely already have in your enterprise. In 2025 AI coding agents have matured to the point...

Modularizing Spring Boot

Continuing our Road to GA series, this week we're exploring the modularization effort happening with Spring Boot 4. When Spring Boot 1.0 was released in 2014, it shipped with a single spring-boot-autoconfigure jar weighing in at 182 KiB. Of course, that initial version didn't support a great deal...

Security Bulletin: Reflected File Download (RFD) Vulnerability in Spring Framework Content-Disposition Header Handling (CWE-113), which affects IBM watsonx.data

Summary A Reflected File Download RFD vulnerability has been identified in VMware Spring Framework versions 6.0.5 to 6.2.7. The issue arises when an application sets a Content-Disposition response header using ContentDisposition.BuilderfilenameString, Charset with a non-ASCII charset and...

Linux Distros Unpatched Vulnerability : CVE-2025-41254

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and...

Prompt Caching Support in Spring AI with Anthropic Claude

Large language model API costs can accumulate quickly when applications repeatedly send the same prompt content. A typical scenario: you're building a document analyzer that includes a 3,000-token document in every request. Five questions about that document means processing 15,000 tokens of...

Expression Language Injection

Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection. The vulnerability is due to unsafe SpEL evaluation in routes due to the actuator gateway endpoint being exposed and accessible to untrusted users; attackers can create routes that use SpEL to read environment...

Security Bulletin: IBM Sterling Control Center is affected by vulnerabilities in Spring boot and Spring Security

Summary IBM Sterling Control Center is affected by vulnerabilities in Spring boot and Spring Security CVE-2025-22235, CVE-2025-22228 and CVE-2024-38821 Vulnerability Details CVEID:CVE-2025-22235 DESCRIPTION: EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the...

Security Bulletin: IBM Sterling Control Center is affected by a vulnerability in spring-security-core-6.4.5.jar (CVE-2025-41232)

Summary IBM Sterling Control Center is affected by a vulnerability CVE-2025-41232 in spring-security-core-6.4.5.jar. Vulnerability Details CVEID:CVE-2025-41232 DESCRIPTION: Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an...

VMware Spring Framework < 5.3.46, 6.0.x < 6.1.24, 6.2.x < 6.2.12 CSRF Vulnerability - Linux

The VMware Spring Framework is prone to a STOMP cross-site request forgery CSRF vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...