spring-projects/spring-framework v7.0.8

on GitHub

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs, you can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Include zone ID in CronTrigger's equals/hashCode implementations #36871
• Expose ClassLoader from DefaultDeserializer #36833
• Use immutable map for SEPARATORS static field in DefaultPathContainer #36821
• Eagerly compute exit descriptors for negative literals #36801
• Revise property accessor algorithms #36800
• Improve path pattern matching #36799
• Refine default view name resolution #36793
• Refine Jackson JMS converters #36791
• Improve ABNF rule checks in RfcUriParser #36787
• Restrict SpringVersion.getVersion() to "major.minor.patch" format #36785
• Runtime compatibility with JPA 4.0 M4 and corresponding Hibernate 8.0 snapshots #36784
• Allow specifying the charset to use in ExchangeFilterFunctions#basicAuthentication #36777
• Use CollectionUtils to initialize HashMap in DefaultUriBuilderFactory #36763
• Improve error messages in SpEL #36756
• Improve pattern caching in SpEL #36755
• Avoid ResolvableType#forType contention for implicit cache cleanup #36745
• Switch to JdkIdGenerator for WebSocket Sessions #36740
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36727
• LiteWebJarsResourceResolver does not resolve directories #36726
• Warn against unsafe static resource locations in MVC and WebFlux #36692
• Consistent compatibility with Woodstox as an alternative to Xerces #36682
• Improve principal checks for SockJS session #36681
• Set host header consistently in STOMP relay CONNECT frames #36673
• Support Micrometer context propagation in Kotlin Flow #36667
• Reliable detection of broadcast messages in UserDestinationMessageHandler #36662

🐞 Bug Fixes

• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36869
• Server Sent Event does not support multi-line comments #36866
• CronExpression skips days on midnight DST gap #36865
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36835
• Preserve generic type info in awaitEntity() #36834
• Bean Background Bootstrap and Lazy Init #36844
• Back-off for DefaultMessageListenerContainer with OracleAQ has changed and is very short in SpringBoot 4 #36809
• Character outside of permitted range in Content Disposition #36805
• Fix JSP tag processing #36797
• Fix script processing capabilities #36795
• Jaxb2XmlEncoder exclusivity prevents JacksonXmlEncoder usage and hinders POJO serialization #36776
• JacksonXmlEncoder.canEncode incorrectly returns true for String body with application/xml #36775
• Consistently expose map key quotes in PropertyAccessorUtils #36765
• Fix fragment parsing for relative URI in RFC URI parser #36762
• Fix race condition in InMemoryWebSessionStore #36742
• Parsing failure for MIME type with quoted parameter values #36730
• Circular dependency between supplier-created beans is silently ignored on startup #36725
• Data is lost for joined DataBuffer in DataBufferUtils #36714
• Cache collisions in CachingResourceResolver #36713
• Unexpected path element removal when resolving versioned resources #36698
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36694
• Regression on value class parameter handling #36665
• Fix inverted logic for boolean last flag in JettyWebSocketSession when sending binary message #36650
• Parent traceId is not reused when calling WebClient.awaitExchange function #36182

📔 Documentation

• Fix broken links to Selenium documentation #36875
• Fix applicability note on setAutoGrowCollectionLimit #36863
• Document @Conditional gating of nested @Configuration classes #36831
• Javadoc of nestingLevel parameter in MethodParameter constructor is inconsistent with actual implementation #36826
• Re-structuring of Data Binding Content in Web Sections of Documentation #36803
• Fix typos for validateExistingTransaction #36767

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.16.6 #36883
• Upgrade to Reactor 2025.0.6 #36884

❤️ Contributors

Thank you to all the contributors who worked on this release:

@0AndWild, @Dennis-Mircea, @cookie-meringue, @daguimu, @dmitrysulman, @kilink, @kzander91, @leestana01, @mguiking, @quaff, @seonwooj0810, @sgerke-1L, @shenjianeng, @tianhaocui, @wushiyuanmaimob, and @zmovo