The Spring Security and Spring Framework teams have collaborated to release fixes for the following CVEs. CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types CVE-2025-41249: Spring Framework Annotation Detection Vulnerability Both of these CVE reports pertain to vulnerabilities that may be encountered when using security annotations on methods within type hierarchies with a parameterized super type with unbounded generics. See the individual CVE reports for further details. CVE-2025-41248 The Spring Security 6.4.11 and 6.5.5 open source…

This is the first blog post in the Road to GA series, highlighting major features within the Spring portfolio for the next major versions to be released in November of this year. Today we are proud to announce the new resilience features coming in Spring Framework 7.0: concurrency throttling and retry support. Concurrency Throttling For certain tasks and resources it may be desirable to limit the level of concurrency. Concurrency throttling effectively protects the target resource from being accessed from too many threads at the same time, similar to the effect of a pool size limit for a…

Table of Contents Overview Does This Affect My Application? Reassessing Your Data Binding Approach Overview While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration. CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability We…

We have released Spring Framework 5.3.17 and Spring Framework 5.2.20 to address the following CVE report. CVE-2022-22950: Spring Expression DoS Vulnerability Please review the information in the CVE report and upgrade immediately. Spring Boot users should upgrade to 2.5.11 or 2.6.5.

The spring-test module now builds against and supports JUnit 4.10 and TestNG 6.5.2, and spring-test now depends on the junit:junit-dep Maven artifact instead of junit:junit which means that you have full control over your dependencies on Hamcrest libraries (e.g., hamcrest-core, hamcrest-all, etc.). In Spring 3.2 we've deprecated SimpleJdbcTestUtils in favor of the improved JdbcTestUtils class which offers new countRowsInTableWhere() and dropTables() utility methods in addition to everything that SimpleJdbcTestUtils previously offered. These changes help to avoid the compiler warnings…

As Jürgen Höller mentioned in his post announcing the release of Spring 3.1 M2, the Spring TestContext Framework(*) has been overhauled to provide first-class testing support for @Configuration classes and environment profiles. In this post I'll first walk you through some examples that demonstrate these new testing features. I'll then cover some of the new extension points in the TestContext framework that make these new features possible.       Please note: this is a cross post from my company blog www.swiftmind.com. At its core, the TestContext framework allows you to annotate test classes…

Since we released the SpringSource Application Platform last Wednesday, numerous developers have downloaded the 1.0.0 beta and started taking the Platform for a test drive. As a result, people have begun asking, "How can I deploy my apps on the Platform, and what kind of deployment and packaging options do I have?" Moreover, developers are eagerly requesting to see working samples. In response, the S2AP team will be releasing several sample applications over the coming weeks demonstrating these features and more, but before you get your hands on these samples, I'd like to give you a high-level…