On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 6.2.11 is available now.

Spring Framework 6.2.11 ships with 23 fixes and documentation improvements. This version will be shipped next week with Spring Boot 3.4.10 and 3.5.6.

CVE-2025-41249

This release addresses CVE-2025-41249 for "Spring Framework Annotation Detection Vulnerability", which was published in conjunction with CVE-2025-41248 for "Spring Security authorization bypass for method security annotations on parameterized types". See Spring Security and Spring Framework Release Fixes for CVE-2025-41248 and CVE-2025-41249 for further details.

Open source support for the Spring Framework 5.3.x and 6.1.x generations has ended; however, the fix for CVE-2025-41249 has been applied to the Spring Framework 5.3.45 and 6.1.23 commercial releases, which are available now.

If you are not a commercial customer, please consider upgrading to a supported open source version of Spring Framework at your earliest convenience. Commercial customers using Spring Boot 2.7, 3.2, or 3.3 can make use of Spring Boot Hotfix releases 2.7.29.1, 3.2.18.1, and 3.3.15.1. Releases are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.

Project Page | GitHub | Issues | Documentation