Spring Framework 5.3.20 and 5.2.22 available now

Releases | Brian Clozel | May 11, 2022 | ...

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 5.3.20 and 5.2.22 are available now.

Spring Framework 5.3.20 includes 14 fixes and improvements. Spring Framework 5.2.22 includes 2 backports.

In addition, these releases include fixes for 2 vulnerabilities:

  • CVE-2022-22970 "Spring Framework DoS via Data Binding to MultipartFile or Servlet Part" Denial of Service (DoS) attack in Spring MVC or Spring WebFlux applications that handle file uploads and rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. Severity: Medium

  • CVE-2022-22971 "Spring Framework DoS with STOMP over WebSocket"
    Denial of service (DoS) attack by authenticated users in Spring applications with a STOMP over WebSocket endpoint. Severity: Medium

These new versions are recommended upgrades for all Spring production scenarios.

Project Page | GitHub | Issues | Documentation

Get the Spring newsletter

Thank you for your interest. Someone will get back to you shortly.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all