Spring Framework 6.1.21 and 6.2.8 releases fix CVE-2025-41234
On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 6.1.21
and 6.2.8
are available now.
Spring Framework 6.1.21
ships with 3 fixes and documentation improvements. This version will be shipped next week with Spring Boot 3.3.13
.
Spring Framework 6.2.8
ships with 39 fixes and documentation improvements. This version will be shipped next week with Spring Boot 3.4.7
and 3.5.1
.
CVE-2025-41234:
The releases address CVE-2025-41234 for RFD Attack via “Content-Disposition” Header Sourced from Request.
Open source support for Spring Framework 5.3.x and 6.0.x generations has ended, and this is our last OSS release for the 6.1.x generation, see our support page for more information…