Spring Framework 6.1.6, 6.0.19 and 5.3.34 Available Now Including Fixes for CVE-2024-22262

Releases | Brian Clozel | April 11, 2024 | ...

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 6.1.6, 6.0.19 and 5.3.34 are available now:

The releases address CVE-2024-22262 for "URL Parsing with Host Validation (3rd report)". Important CVEs on popular projects, like the original CVE-2024-22243, often get attention from the security community. We received many reports and helpful feedback about new attack variants over the last weeks. The security of Spring applications is our priority and we will keep addressing vulnerabilities in a transparent and timely fashion.

We are actively working on a new approach that will completely revisit the implementation.

Upgrading your project

Commercial customers using Spring Boot 2.7 or 3.0 can make use of Spring Boot Hotfix releases 2.7.20.3 and 3.0.15.3. Releases are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.

Commercial customers and OSS users of Spring Boot 3.1 and 3.2 should manually upgrade to Spring Framework 6.0.19 and 6.1.6 now, and to Spring Boot 3.1.11 and 3.2.5 next week when those become available.

Project Page | GitHub | Issues | Documentation

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all