Hi, Spring fans! Welcome to another extra special installment of This Week in Spring, wherein we celebrate a very auspicious day indeed: the release of Java 25 and GraalVM 25! That's right: an incredible new iteration of the JVM has just dropped and with it come a ton of features! Let's go through some of my favorites.

One nicety is the new Module import declarations - import all the packages in a given module with a new import variant. (Does not require importer be in a module). So now you could do: import module java.base; to get most of the core JDK types in your program in a single line…

I am pleased to announce that the third Spring for GraphQL 2.0 Milestone release is now available.

Nullability support in schema mapping inspection

Our Schema Mapping Inspection feature got a recent upgrade thanks to our work on Null-safety in Spring projects.

If your application is written in Kotlin, or is using Null-safety annotations, further inspections will be performed. The GraphQL schema can declare nullable types (Book) and non-nullable types (Book!). We can ensure that both the schema and the application are in sync when it comes to nullability information.

• For schema fields, we can check that the relevant Class properties and DataFetcher return types with the same nullability.
• For field arguments, we can ensure that DataFetcher parameters have the same nullability
…

I am pleased to announce that Spring for GraphQL 1.4.2 is now available on Maven Central. This release closes 10 issues.

This version will ship with Spring Boot 3.5.6, to be released this week.

How can you help?

If you have general questions, please ask on stackoverflow.com using the spring-graphql tag.

Project Page | GitHub | Issues | Documentation | Stack Overflow

The Model Context Protocol (MCP) standardizes how AI applications interact with external tools and resources. Spring joined the MCP ecosystem early as a key contributor, helping to develop and maintain the official MCP Java SDK that serves as the foundation for Java-based MCP implementations. Building on this contribution, Spring AI has embraced MCP with comprehensive support through dedicated Boot Starters and MCP Java Annotations, making it easier than ever to build sophisticated AI-powered applications that can seamlessly connect to external systems.

This blog introduces core MCP components and demonstrates building both MCP Servers and Clients using Spring AI, showcasing basic and advanced features. The complete source code is available at: MCP Weather Example…

In this 2nd blog post of the Road to GA series highlighting major features within the Spring portfolio for the next major versions to be released in November, I’m going to focus on the upcoming API Versioning support in Spring Framework 7.

Introduction

API versioning is a challenging topic. Most articles list various ways to do it, but offer no advice. When advice is offered, it ranges widely. For example, Roy Fielding advises against it. It is a common and widely used practice, and yet there is no standard or agreement on how to or whether to do it.

Furthermore, different applications have…

On behalf of the team and everyone who has contributed, I’m happy to announce that Spring for Apache Pulsar 1.2.10 and 2.0.0-M3 have been released and are now available from Maven Central.

The 1.2.10 release will be included in the upcoming Spring Boot 3.4.10 and 3.5.6 releases. The 2.0.0-M3 release will be included in the upcoming Spring Boot 4.0.0-M3 release.

Please see the release notes (1.2.10 and 2.0.0-M3) for more details.

--- IMPORTANT UPDATE ---

An error occurred in our release process for 6.4.10 and 6.5.4 that did not include Spring Framework 6.2.11.

Given this, we have released 6.4.11 and 6.5.5, which now includes Spring Framework 6.2.11.

On behalf of the team and everyone who has contributed, I am pleased to announce the availability of Spring Security 6.4.10 and 6.5.4.

Spring Security 6.4.10 ships with 4 fixes and several dependency upgrades. This version will be shipped this week with Spring Boot 3.4.10.

Spring Security 6.5.4 ships with 4 fixes and several dependency upgrades. This version will be shipped this week with Spring Boot 3.5.6…

The Spring Security and Spring Framework teams have collaborated to release fixes for the following CVEs.

• CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types
• CVE-2025-41249: Spring Framework Annotation Detection Vulnerability

Both of these CVE reports pertain to vulnerabilities that may be encountered when using security annotations on methods within type hierarchies with a parameterized super type with unbounded generics. See the individual CVE reports for further details.

CVE-2025-41248

The Spring Security 6.4.11 and 6.5.5 open source releases address CVE-2025-41248…