Spring Framework 6.1.5, 6.0.18 and 5.3.33 Available Now Including Fixes for CVE-2024-22259

Releases | Brian Clozel | March 14, 2024 | ...

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 6.1.5, 6.0.18 and 5.3.33 are available now.

Spring Framework 6.1.5 ships with 45 fixes and documentation improvements. This version will be shipped with Spring Boot 3.2.4, to be released next week.

Spring Framework 6.0.18 ships with 11 fixes and documentation improvements. This version will be shipped with Spring Boot 3.1.10, to be released next week.

Spring Framework 5.3.33 ships with 10 fixes and documentation improvements.

The releases address CVE-2024-22259 for URL Parsing with Host Validation (2nd report).

Tanzu Spring Runtime

Commercial customers using Spring Boot 2.7 or 3.0 can make use of the new Spring Boot Hotfix release mechanism, providing versions 2.7.20.1 and 3.0.15.1. Spring Boot Hotfix releases are timely releases that patch dependency management to use the latest Spring artifacts when a CVE fix is released. The hotfix versions released today are available on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.

Commercial customers and OSS users of Spring Boot 3.1 and 3.2 should manually upgrade to Spring Framework 6.0.18 and 6.1.5 now, and to Spring Boot 3.1.10 and 3.2.4 next week when those become available.

Stay tuned for more details on hotfix releases and our plans in that space.

Project Page | GitHub | Issues | Documentation

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all