On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 5.7.17, 5.8.19, 6.0.17, 6.1.15, 6.2.11, 6.3.9, and 6.4.5 are available now which fix CVE-2025-22234.

Please refer to the releases page for more details.

Commercial customers using Spring Boot 2.7, 3.0, 3.1, or 3.2 will be able to update to Spring Boot 2.7.24.2, 3.0.19.2, 3.1.15.2, or 3.2.13.2 respectively to receive the corresponding Security releases 5.7.17, 6.0.17, 6.1.15, and 6.2.11. These Security versions are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription…

Spring Cloud Data Flow End of Open-Source

TL;DR; Today we're announcing that going forward we will not be maintaining Spring Cloud Data Flow, Spring Cloud Deployer, or Spring Statemachine as open-source projects. Spring Cloud Data Flow 2.11.x, Spring Cloud Deployer 2.9.x, and Spring Statemachine 4.0.x will be the last open-source lines and any future releases will only be made available to Tanzu Spring customers. This change has no impact on the rest of the open-source Spring portfolio or the support obligations of the currently available OSS versions for existing users.

Spring Cloud Data…

On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.3.9.

Please check the changelog for more details.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.4.5.

Please check the changelog for more details.

Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce the release candidate milestone for the final Spring Security 6 minor release.

Among a number of feature enhancements, there are some that we'd love your attention on as we prepare them for general availability:

Core

• Complete Deprecation of ConfigAttribute, SecurityConfig, and other Access API components.

Specifically, please speak up if you are using any of the ACL Access components that were deprecated.

OAuth 2.0

• Further refinements to DPoP support - #16937, #16921, and #16900

SAML 2.0

• Simplified SAML 2.0 Response validation (docs), Assertion validation (docs), and Authentication conversion (docs)
• A RelayState-based Authentication Request Repository - #14793
…

Hi, Spring fans! In this episode I'm joined by well-known member of the Java community Jeff Genender, whose contributions to Apache over the decades have driven several key projects with which you're no doubt familiar.

On behalf of the Spring for GraphQL team, I am pleased to announce the availability of 1.4.0-RC1, our last stop before the generally available release. In case you missed it, 1.4.0-M1 already shipped lots of new features and improvements.

You can read the full changelog for 1.4.0-RC1 and the upgrade notes on our wiki.

DataLoader observations

The Spring for GraphQL instrumentation creates Micrometer Observations for GraphQL requests and DataFetcher operations. Some data fetching operations are relying on batch loading calls to avoid the "N+1 problem". In previous generations, one would not see the difference between a "full" data fetching operation and one that simply delegates to DataLoader…

I am pleased to announce that Spring for GraphQL 1.3.5 is now available on Maven Central.

1.3.5 closes 12 issues. This version will ship with Spring Boot 3.3.11 and 3.4.5, to be released next week.

How can you help?

If you have general questions, please ask on stackoverflow.com using the spring-graphql tag.

Project Page | GitHub | Issues | Documentation | Stack Overflow

On behalf of the team and everyone who has contributed, I am pleased to announce a new milestone for the next Spring Framework generation. The fourth milestone continues delivering new features and refinements on top of 7.0.0-M1, 7.0.0-M2 and 7.0.0-M3.

Class-File API usage for Java 24+ apps

Spring Framework reads class bytecode to collect metadata about the application code. Historically we have used a slim ASM fork for this purpose, through the MetadataReaderFactory and MetadataReader types in the org.springframework.core.type.classreading package. Although Spring applications typically have no direct exposure to this API, this is especially useful when parsing @Configuration…