Spring Framework Cross-site Scripting via JSP Form Tags

Spring MVC applications which accept user-supplied values in the cssClass , cssErrorClass , or cssStyle attributes of JSP tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting XSS vulnerability...

A Bootiful Podcast: Mark Kropf on AI orchestration

Hi Spring fans! I was delighted to get a chance to sit and talk to my pal and Pivotal alum Mark Kropf about his efforts around orchestrating AI. This doesn’t have to do with the JVM or Spring, per se, but it’s an interesting discussion nonetheless...

A Bootiful Podcast: Spring community legend and friend Simon Martinelli

Hi, Spring fans! Happy Thanksgiving from me, and I am sure the entire Spring team, to you! We are, it should be clear, oh so very grateful.. thankful.. for you, the community. This week it is my great pleasure to chat with Spring community legend Simon Martinelli...

A Bootiful Podcast: The Vaadin team, live from Vaadin Create 2025

Hi, Spring fans! In this installment, I had the privilege to sit down with Vaadin legends Joonas Lehtinen, Marcus Hellberg, and Leif Åstrand at the amazing Vaadin Create 2025 event in Frankfurt, Germany...

A Bootiful Podcast: Spring team engineer Dariusz Jędrzejczyk on the latest-and-greatest in the reactive world, MCP, and more

Hi, Spring fans! In this installment we talk to the Spring team engineer Dariusz Jędrzejczyk on the latest-and-greatest in the reactive world, MCP, and more...

This Week in Spring - October 21st, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm writing this from the fantastic Vaadin Create conference here in Frankfurt, Germany. What an amazing show and community. Since we last spoke, I have been in Boston; New York city; Sofia, Bulgaria; Krakow, Poland; and now...

Spring Session MongoDB: Now Led by MongoDB Team

It gives me great pleasure to announce that the Spring Session MongoDB project will now be led by the MongoDB Team. NOTE: This announcement is in alignment with our announcement Spring Session Hazelcast: Now Led by Hazelcast Team. For ten years Spring Session has provided the infrastructure for...

Spring Session Hazelcast: Now Led by Hazelcast Team

It gives me great pleasure to announce that the Spring Session Hazelcast project will now be led by the Hazelcast Team. NOTE: This announcement is in alignment with our announcement Spring Session MongoDB: Now Led by MongoDB Team. For ten years Spring Session has provided the infrastructure for...

This Week in Spring - October 14th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in Boston and New York city and Bulgaria and Poland this week, but I'm still hyped about last week's amazing Devoxx Belgium event! There are a ton of videos to look at, and I'll include just some of them here. So, without...

Securing MCP Servers with Spring AI

Model Context Protocol, or MCP for short, has taken over the AI world. If you've been following our blog, you've probably read the introduction to the topic, Connect Your AI to Everything: Spring AI's MCP Boot Starters. The security aspects of MCP have been evolving fast, and the latest version o...

A Bootiful Podcast: Spring Batch lead Mahmoud Ben Hassine

Hi, Spring fans! In this installment we talk to the legendary lead of the Spring Batch project, Mahmoud Ben Hassine, about the latest-and-greatest in Spring Batch in the Spring Boot 4 generation...

API Versioning in Spring

In this 2nd blog post of the Road to GA series highlighting major features within the Spring portfolio for the next major versions to be released in November, I’m going to focus on the upcoming API Versioning support in Spring Framework 7. Introduction API versioning is a challenging topic. Most...

A Bootiful Podcast: Purnima Padmanabhan, General Manager, Tanzu Division, Broadcom

Hi, Spring fans! In this installment, we talk to the general manager of Tanzu, the legendary Purnima Padmanabhan, about AI, the power of the platform, and more. Recorded live from SpringOne 2025!...

Core Spring Resilience Features: @ConcurrencyLimit, @Retryable, and RetryTemplate

This is the first blog post in the Road to GA series, highlighting major features within the Spring portfolio for the next major versions to be released in November of this year. Today we are proud to announce the new resilience features coming in Spring Framework 7.0: concurrency throttling and...

A Bootiful Podcast: Architecture sage and Spring Modulith lead Oliver Drotbohm

Hi, Spring fans! In this installment I caught up with architecture guru and Spring Modulith founder and lead Oliver Drotbohm and we looked at some of the amazing possibilities in Spring Modulith 2.0, coming after Spring Framework 7.0 and Spring Boot 4.0 drop later this year!...

A Bootiful Podcast: Intact's Luke Shannon

Hi, Spring fans! and happy holidays! in this installment I talk to Intact's Luke Shannon about their use of Spring, developer portals, and so much more...

DoS via Spring MVC controller method with byte[] parameter

Spring MVC controller methods with an @RequestBody byte method parameter are vulnerable to a DoS attack...

Zip-slip mitigation bypass in Spring Integration Zip extension

spring-integration-zip , versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So when the filename gets concatenated to...

Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard

Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can...

Jackson Configuration Allows Code Execution with Unknown “Serialization Gadgets”

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...

Modularizing Spring Boot

Continuing our Road to GA series, this week we're exploring the modularization effort happening with Spring Boot 4. When Spring Boot 1.0 was released in 2014, it shipped with a single spring-boot-autoconfigure jar weighing in at 182 KiB. Of course, that initial version didn't support a great deal...

A Bootiful Podcast: Spring Security contributor Josh Cummings on the latest-and-greatest in Spring Security 7

Hi, Spring fans! In this installment we talk to Spring Security contributor and legend Josh Cummings...

A Bootiful Podcast: Dr. Kris De Volder on developer tooling for Spring developers and AI

Hi, Spring fans! In this installment we talk to Spring tooling legend Dr. Kris De Volder on tooling, AI, and so much more...

Access API Moves to Spring Security Access

Five years ago, Spring Security began the journey of modernizing its authorization API. This has paved the way for a number of exciting features like Authorized POJOs, value masking, and, planned for Spring Security 7, Multi-Factor Authentication. This also deprecated the majority of the Access...