Spring gRPC 0.4.0 for great good!

NB : you can find the working code for this blog here There's a new release of the amazing—if experimental—Spring gRPC project: version 0.4.0. I won't get into the nitty-gritty of all that's new, but I just wanted to highlight how elated I am to use it and walk you through the step-by-step path t...

This Week in Spring - February 25th, 2025

Hi, Spring fans, and welcome to another rip-roarin' installment of This Week in Spring! Later today I'll board a plane for magnificent Montreal, Canada for the amazing Confoo conference! I'm super excited! Good news everybody! Spring Boot 3.5.0-M2 is now available! In last week's installment of t...

A Bootiful Podcast: BellSoft's Catherine Edelveis

Hi, Spring and JDK fans! In this week's episode I talk to BellSoft developer advocate Catherine Edelveis java springboot jre jdk graalvm CRaC...

This Week in Spring - February 11th, 2025

Hi, Spring fans! It's almost Valentine's day, and let me just say: I love the Spring community! It's such an exciting and interesting place to be. Thank you everyone for all that you do. I'm busy preparing for ConFoo, in Montreal, Canada, and for Devnexus, in Atlanta, Georgia. If you're around be...

This Week in Spring - February 11th, 2025

Hi, Spring fans! It's almost Valentine's day, and let me just say: I love the Spring community! It's such an exciting and interesting place to be. Thank you everyone for all that you do. I'm busy preparing for ConFoo, in Montreal, Canada, and for Devnexus, in Atlanta, Georgia. If you're around be...

Building Effective Agents with Spring AI (Part 1)

In a recent research publication: Building effective agents, Anthropic shared valuable insights about building effective Large Language Model LLM agents. What makes this research particularly interesting is its emphasis on simplicity and composability over complex frameworks. Let's explore how...

A Bootiful Podcast: Dr. Dave Syer on the new and nifty Spring gRPC project

Hi, Spring fans! In this installment I talk to the good and the great Dr. Dave Syer about the experimental! new Spring gRPC project!...

Extending Spring Data Repositories Just Got Easier

Since its inception, Spring Data Repositories have been designed for extension, whether you want to customize a single query method or provide a completely new base implementation. The 2024.1 release enhances your ability to extend a repository with custom functionality making it easier than ever...

Why Spring AI: The Seamless Path to Generative AI

Why Spring AI: The Seamless Path for Spring Developers to the World of Generative AI Intro As a Java developer exploring the world of generative AI, you’re probably aware of several frameworks that promise to make AI integration easy. I believe Spring AI stands out as the natural choice, especial...

From Spring Cloud Data Flow 2.11.x to 3.0

Dear Spring Community, With the recent announcement of Spring Framework 7.0 and Spring Boot 4.0, the Spring Cloud Data Flow team is pleased to announce the next major release, SCDF 3.0, to align with both Spring Framework 7.0 and Spring Boot 4.0. This will bring the following SCDF ecosystem of...

A Bootiful Podcast: Oracle Java Developer Advocate Billy Korando on Java 23, Structured Concurrency, and more

Hi, Spring fans! In this installment I talk to Java Developer advocate at Oracle, Billy Korando, about the amazing new features in Java 23 and beyond!...

A Bootiful Podcast: Spring creator and cofounder, Dr. Rod Johnson

In this wide-ranging interview, I finally sit down one-on-one and talk to Dr. Rod Johnson, the creator of Spring, entrepreneur, venture capitalist, engineer, father, Kotlin fan, AI researcher, and musician, about this, that, and everything in between, fresh off our recent SpringOne presentation o...

A Bootiful Podcast: Sébastien Deleuze on Spring Framework and Kotlin, GraalVM, Project Leyden, AppCDS, runtime efficiency, Kotlin, and more

Dive deep into the world of Spring Framework and Kotlin, GraalVM, Project Leyden, AppCDS, runtime efficiency, Kotlin, and more, with the one and only Sébastien Deleuze! From runtime efficiency to all things Kotlin, this episode is packed with expert insights and valuable information. Don't miss o...

This Week in Spring - September 3rd, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's September 3rd, and I'm still buzzing from the last week's SpringOne extravaganza! Also: I'm tired. Last week was nuts. I'm super glad it happened, but I'm tired. And also buzzing. You know? Surely you don't. I hope not...

This Week in Spring - August 6th, 2024

It's August! Egads, has that come quickly! AUGUST. The eigth month of the year, and we're almost done with the first week, in fact! It's not that I'm not grateful to be here, but, yah, wow that was quick. And, of course, the month of my all time double dutch favorite conference, SpringOne,...

A Bootiful Podcast: JobRunr creator Ronald Dehuysser

Hi, Spring fans! Happy 4th of July, if you celeberate! In this installment of A Bootiful Podcast, I talk to JobRunr.io creator Ronald Dehuysser, recorded live from the amazing Spring IO 2024 show in beautiful Barcelona, Spain!...

Arbitrary File Write Vulnerability in Spring Cloud Data Flow

Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api...

Spring Framework URL Parsing with Host Validation (3rd report)

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks. This is the...

Spring Tips: the Exposed ORM for Kotlin

Hi, Spring fans! In this installment we look at the Exposed Object Relational Mapper framework for Kotlin. Kotlin Java JDBC springboot...

Spring Boot Testjars founder Rob Winch

Hi, Spring fans! In this week's installment we talk Rob Winch, lead of Spring Security and founder of the exciting new project Spring Boot Testjars...

A Bootiful Podcast: Roni Dover on Digma AI

Hi, Spring fans! In this installment we talk to Digma AI founder Roni Dover...

A Bootiful Podcast: Trifork CTO Joris Kuipers

Hi, Spring fans! In this installment, Josh Long talks to longtime Spring community legend and Trifork CTO Joris Kuipers. Happy new year!...

This Week in Spring - December 19th, 2023

Hi, Spring fans! Welcome to another oh-so-festive edition of This Week in Spring! the Spring Authorization Server 1.2.1, 1.1.14, and 0.4.5, are now available Spring AMQP 3.1.1 is now available Spring Security 5.8.9, 6.1.6, 6.2.1 are now available Spring for Apache Kakfa 3.1.1 is now available...

Spring Boot server Web Observations DoS Vulnerability

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true:...

This Week in Spring - Spring Boot 3.2 edition - November 21st, 2023

Hi, Spring fans! Welcome to another epic installment of This Week in Spring! As amazing as the week's already been, it's all leading up to this Thursday - Thanksgiving day! - when we release Spring Boot 3.2! and yes, I am very grateful. This release is stuffed to the gills with a ton of new...

This Week in Spring - November 14th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's November 14th, and you know what that means? NINE MORE DAYS until Spring Boot 3.2 drops on the day of the US holiday of Thanksgiving, no less! Some key features include: virtual threads initial CRaC support more...

A Bootiful Podcast: Java Language Architect Brian Goetz

Hi, Spring fans! Are you using Java 21 in production already? No? you should listen to this episode. Yes? Then you should listen to this episode! This week, Josh Long talks to legendary Java Language Architect Brian Goetz @BrianGoetz recaping the latest-and-greatest and previewing Java.next...

This Week in Spring - August 1st, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! Can you believe it's already August 1, 2023??? Me either. As I write this, I'm preparing some of my contributions for SpringOne at VMWare Explore 2023, happening next month in lovely Las Vegas, NV. Have you registered yet? I'...

A Bootiful Podcast: Angular Google Developer Expert Santosh Yadav

Hi, Spring fans! In this installment Josh Long @coffesoftware talks to Angular Google Developer Expert Santosh Yadav @santoshyadavdev about the latest and greatest in the JavaScript and Angular ecosystem...

A Bootiful Podcast: Microsoft’s Sean Li on Azure and Spring Boot

Hi, Spring fans! In this relatively quick installment, recorded live from the lovely Spring I/O 2023, Josh Long talks to Microsoft's Sean Li about some of the latest and greatest in the Azure ecosystem for Spring developers...

BCrypt skips salt rounds for work factor of 31

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor 31, the encoder does not perform any salt rounds, due to an integer overflow error. The default...

This Week in Spring - April 5th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Im back home from the Hawaiin islands. Its so good to be home. First things first: theres a security vulnerability. Weve already released guidance on how to mitigate as well as new releases of Spring Framework and Spring Boot...

Additional information exposure with Spring Data JPA derived queries

This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE...

JSONP enabled by default in MappingJackson2JsonView

Spring Framework, versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browse...

Directory Traversal in the Spring Framework ResourceServlet

Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks...

This Week in Spring - June 30th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring , a weekly recap in which we review the latest and greatest in the wide and wonderful world of Spring. You probably already knew this. I don't know if I needed to mention it. But I like to. I've been doing this every week,...

CVE-2026-47825: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers...

CVE-2026-40986: Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker...

CVE-2026-40997: SOAP security faults leak Spring Security account state

Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...

CVE-2026-40992: Mail Auto-Configuration Does Not Enable SSL Hostname Verification

Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true , are not affected...

CVE-2026-40987: Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem outside the configured local-directory with attacker-controlled content...

CVE-2026-41856: Spring GraphQL Annotation Detection Vulnerability

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. Spring for GraphQL application are vulnerable when all the...

CVE-2026-40996: Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true , overriding Apache WSS4J’s safer default for validation RequestData . Inbound WS-Security decryption could therefore accept RSA PKCS1 v1.5 rsa-15 encrypted key material unless operators explicitly reconfigured the flag,...

CVE-2026-40985: Data Binding Vulnerability in Spring Web Flow with Unified EL Parser

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Pre-conditions:...

CVE-2026-41699: Unsafe Deserialization in Spring GraphQL

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. More precisely, an application is vulnerable when all the following are true: When all the conditions above are met, an attacker can craft a malicious GraphQL request that can lead ...

CVE-2026-40994: Wss4jSecurityInterceptor disables WS-I BSP validation by default

Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData , contradicting the intended secure default and published setter contract. Services that validate WS-Security on the network could...

CVE-2026-40995: X.509 authentication bypasses Spring Security account checks

X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails , without applying Spring Security’s standard account lifecycle checks disabled, locked, expired, or credentials-expired accounts. That behavior applied to users...

CVE-2026-41003: Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters...

CVE-2026-41706: Open Redirect When Using CookieRequestCache

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL including scheme, host, and port ...

CVE-2026-41730: Spring Data REST exposes persistence-layer internals in error responses

Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected applications are those that expose a Spring Data REST repository backed by a relational JDBC/JPA store and do not apply additional...