Spring End-of-Life Resource Hub

End of life doesn’t have to mean end of support. Find strategies, resources, and solutions for keeping your Spring applications stable, secure, and compliant.

Spring EOL Resource Hub

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

EOL Calendar

Stay ahead of critical EOL and LTS milestones before they impact production.

EOL

Enters LTS

New OSS Version release

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Spring Boot logo

Spring Boot

Spring Boot 3.3 (OSS Support) (Jun 30, 2025)

Spring Boot 3.1 (Commercial Support) (Jun 30, 2025)

Spring Boot 3.5.6 (Sep 18, 2025)

Spring Boot 3.4 (Dec 31, 2025)

Spring Boot 3.2 (Commercial Support) (Dec 31, 2025)

Spring Framework logo

Spring Framework

Spring Framework 6.1.x (OSS Support) Jun 30, 2025)

Spring Framework 6.2.10 (Aug 14, 2025)

Spring Framework 6.2.11 (Sep 11, 2025)

Apache Tomcat logo

Apache Tomcat

Tomcat 11.0.11 (Sep 05, 2025)

Struts logo

Apache Struts

Struts 7.0.3 (GA) (Mar 03, 2025)

Struts 6.7.4 (GA) (Mar 05, 2025)

Solr logo

Apache Solr

Solr 9.9.0 (Jul 24, 2025)

Apache Tapestry logo

Apache Tapestry

Tapestry 5.9.0 (Feb 11, 2025)

Apache Camel logo

Apache Camel

Camel 4.10.4 (LTS) (Apr 30, 2025)

Camel 4.8.7 (LTS) (May 09, 2025)

Camel 4.12.0 (May 29, 2025)

Camel 4.10.5 (LTS) (Jun 03, 2025)

Camel 4.8.8 (LTS) (Jun 26, 2025)

Camel 4.10.6 (LTS) (Jun 27, 2025)

Camel 4.13.0 (Jul 08, 2025)

Camel 4.14.0 (LTS) (Aug 19, 2025)

Camel 4.8.9 (LTS) (Sep 17, 2025)

Apache Spark logo

Apache Spark

Spark 4.0.0 (May 23, 2025)

Spark 3.5.6 (May 29, 2025)

Spark 4.0.1 (Sep 06, 2025)

Apache Cocoon logo

Apache Cocoon

Project retired to Apache Attic (move completed) (Mar 01, 2025)

Hibernate logo

Hibernate

Hibernate ORM 7.0.0.Final (May 18, 2025)

Hibernate ORM 7.1.0.Final (Aug 08, 2025)

Featured Articles

Browse expert insights, industry news, analyses, and how-tos on navigating Spring and Java end-of-life transitions.

Spring Boot 3.2 Is End-of-Life: What That Actually Means for Your Applications

Spring Boot 3.2 Is End-of-Life: What That Actually Means for Your Applications

Spring Boot 3.2 has reached end of life, ending all upstream security patches and fixes. Here’s what that means for production systems and how teams can stay secure without rushing a major upgrade.

The Transitive Dependency Dilemma: Choices to Make When Projects Evolve at Different Speeds

The Transitive Dependency Dilemma: Choices to Make When Projects Evolve at Different Speeds

Why you should think about stability as well as security when CVE's show up in transitive dependencies

CVE-2025-41254: Spring WebSocket CSRF Bypass Vulnerability Explained

CVE-2025-41254: Spring WebSocket CSRF Bypass Vulnerability Explained

Attackers can send unauthorized messages without establishing a proper WebSocket session — exposing Spring WebSocket applications to CSRF-style attacks.

Spring Data Redis Exposure to Redis Lua Parser Use-After-Free (CVE-2025-49844)

Spring Data Redis Exposure to Redis Lua Parser Use-After-Free (CVE-2025-49844)

A critical Redis Lua parser flaw (CVE-2025-49844) could enable remote code execution — here’s what it means for Spring Data Redis users and how to stay protected.

How to Keep the Spring Framework and Spring Boot Secure from CVEs

How to Keep the Spring Framework and Spring Boot Secure from CVEs

Why full-stack remediation across Spring Framework, Boot, and beyond is essential for true security.

Spring Cloud Gateway: Critical Environment Modification Vulnerability (CVE-2025-41243)

Spring Cloud Gateway: Critical Environment Modification Vulnerability (CVE-2025-41243)

Critical Spring Cloud Gateway Flaw Exposes Runtime Environments

Never-Ending Support Now Covers Spring Boot 3.2, 3.3 and 3.4

Never-Ending Support Now Covers Spring Boot 3.2, 3.3 and 3.4

Secure Spring Boot 3.2, 3.3, 3.4 Beyond End-of-Life with Never-Ending Support

Spring 6.1 Is Now Officially End-of-Life — What That Means for You

Spring 6.1 Is Now Officially End-of-Life — What That Means for You

Spring 6.1 is now end-of-life. Here’s what that means—and how to stay secure without rewriting your stack

Spring Framework 6.1 Reaches End of Life June 30 — What Now?

Spring Framework 6.1 Reaches End of Life June 30 — What Now?

Spring Framework 6.1 loses open-source support on June 30, 2025. If you're still in production without a backup plan, it's time to act.

The Hidden Risk in Spring Boot 2.7: Managed Dependencies Still Matter

The Hidden Risk in Spring Boot 2.7: Managed Dependencies Still Matter

What happens to your security when Spring Boot 2.7 stops updating—and how HeroDevs NES protects you from hidden CVEs.

CVE-2025-22232: Authentication Bypass in Spring Cloud Config – What You Need to Know

CVE-2025-22232: Authentication Bypass in Spring Cloud Config – What You Need to Know

A authorization bypass in Spring Cloud Config (CVE-2025-22232) puts Vault token security at risk—learn how to protect your applications with HeroDevs’ Never-Ending Support.

The Security Risks of Staying on Spring Boot 2.7 and Spring Framework 5

The Security Risks of Staying on Spring Boot 2.7 and Spring Framework 5

Spring Boot 2.7 and Spring Framework 5 are end-of-life—leaving applications exposed to unpatched vulnerabilities. Here’s what that means for your security and compliance posture.

Simplified Builds with Never-Ending Support for Spring

Simplified Builds with Never-Ending Support for Spring

Simplifying Your NES for Spring Migration with a Seamless Group ID Update

The Security Risks of Staying on Spring Boot 1.5 and Spring Framework 4

The Security Risks of Staying on Spring Boot 1.5 and Spring Framework 4

Understanding the Security Risks of End-of-Life Spring Boot 1.5 and Spring Framework 4

Never-Ending Support (NES) for Spring Now Available for Spring Framework 4.x

Never-Ending Support (NES) for Spring Now Available for Spring Framework 4.x

Never-Ending Support (NES) for Spring now includes Spring 4.x, ensuring security and compliance beyond its EOL.

CVE-2024-38828: DoS via Spring MVC Controller Method with byte[] Parameter

CVE-2024-38828: DoS via Spring MVC Controller Method with byte[] Parameter

Protect your Spring Framework applications from CVE-2024-38828 with HeroDevs' Never-Ending Support for secure and compliant operations.

Spring Framework 6: The Full Cost of Migrating from v5 to v6

Spring Framework 6: The Full Cost of Migrating from v5 to v6

Navigating the Challenges and Costs of Migrating to Spring Framework 6

CVE-2024-38819: High-Severity Path Traversal Vulnerability in Spring Framework

CVE-2024-38819: High-Severity Path Traversal Vulnerability in Spring Framework

Addressing CVE-2024-38819: Protecting Legacy Spring Framework Applications from Path Traversal Vulnerabilities

CVE-2024-38821: Critical Authorization Bypass Vulnerability in Spring WebFlux Applications

CVE-2024-38821: Critical Authorization Bypass Vulnerability in Spring WebFlux Applications

Addressing CVE-2024-38821: Critical Vulnerability in Spring WebFlux and How HeroDevs’ Spring NES Keeps Legacy Applications Secure

CVE-2024-38820: DataBinder Case Sensitive Match Exception Vulnerability in Spring Framework

CVE-2024-38820: DataBinder Case Sensitive Match Exception Vulnerability in Spring Framework

Addressing the CVE-2024-38820 vulnerability in Spring Framework’s DataBinder, HeroDevs offers long-term security with Spring NES for legacy versions."

CVE-2024-38807: Spring Boot Signature Forgery Vulnerability

CVE-2024-38807: Spring Boot Signature Forgery Vulnerability

Spring Boot Signature Forgery Vulnerability in Nested Jar Verification

High and Medium CVEs in Spring 4.3.x: Why Your Business is at Risk and How to Protect It

High and Medium CVEs in Spring 4.3.x: Why Your Business is at Risk and How to Protect It

Stay ahead of security risks—learn about Spring 4.3.x vulnerabilities and the critical steps to safeguard your systems.

CVE-2024-38816: Path Traversal Vulnerability Discovered in Spring Framework

CVE-2024-38816: Path Traversal Vulnerability Discovered in Spring Framework

Protect your Spring Framework application from CVE-2024-38816 with security fixes from HeroDevs

Build the Perfect Deprecated Spring Commercial Support Package with HeroDevs’ Never-Ending Support

Build the Perfect Deprecated Spring Commercial Support Package with HeroDevs’ Never-Ending Support

Tailor the perfect support package for your deprecated Spring applications with HeroDevs' Never-Ending Support, designed to meet your business's unique needs.

Navigating the End of Life for Spring Framework 5.3 and 6: What You Need to Know

Navigating the End of Life for Spring Framework 5.3 and 6: What You Need to Know

Staying Secure Post-EOL: Strategies for Managing Spring Framework 5.3 and 6.0

What You Need to Know: Spring Framework’s End-of-Life Dates

What You Need to Know: Spring Framework’s End-of-Life Dates

Stay Informed and Secure: Navigating Spring Framework's End-of-Life Dates

Introducing Never-Ending Support for Spring at HeroDevs

Introducing Never-Ending Support for Spring at HeroDevs

Extend the life of your Spring Framework applications with HeroDevs' Never-Ending Support (NES) for Spring

HeroDevs joins OpenJS Foundation to Drive Security and Compliance for Deprecated Open Source Software

HeroDevs joins OpenJS Foundation to Drive Security and Compliance for Deprecated Open Source Software

Driving Security and Compliance for Deprecated Open Source Software

10 Tomcat CVEs to Watch Out for in 2025 (Patched by HeroDevs NES)

From RCE to DoS, these 2025 Apache Tomcat vulnerabilities target versions still widely used in production. HeroDevs NES neutralizes the threat.

10 Tomcat CVEs to Watch Out for in 2025 (Patched by HeroDevs NES)

From RCE to DoS, these 2025 Apache Tomcat vulnerabilities target versions still widely used in production. HeroDevs NES neutralizes the threat.

Never-Ending Support Now Covers Spring Boot 3.2 and 3.4

Secure Spring Boot 3.2 & 3.4 Beyond End-of-Life with Never-Ending Support

Never-Ending Support Now Covers Spring Boot 3.2 and 3.4

Secure Spring Boot 3.2 & 3.4 Beyond End-of-Life with Never-Ending Support

Explore CVEs in Spring

Monitor and learn more about known vulnerabilities in legacy Spring and other popular Java libraries.

Severity

ID

Technology

Libraries Affected

Category

Version(s) Affected

Published Date

High

Spring

Apache Kafka

Remote Code Execution

>=2.3.0 <=3.3.2

Dec 16, 2025

Medium

Spring

Apache Kafka

No items found.

>=2.3.0 <=3.5.2 >=3.6.0 <=3.6.2 =3.7.0

Dec 16, 2025

High

Spring

Apache Kafka

Server-Side Request Forgery

>=3.1.0 <3.9.1

Dec 16, 2025

Medium

Spring

Apache Kafka

Incorrectly Configured Access Control

>=0.10.2.0 <3.7.2 =3.8.0

Dec 16, 2025

High

Spring

Spring Cloud Gateway

Information Exposure

>=3.1.0 <=3.1.11, >=4.0.0, >=4.1.0 <=4.1.11, >=4.2.0 <=4.2.5, >=4.3.0 <=4.3.1

Oct 21, 2025

Medium

Spring

Spring Framework

Cross-site Request Forgery

>=6.2.0 < 6.2.12, >=6.1.0 < 6.1.24, >=6.0.0 <=6.0.29, >=5.3.0 < 5.3.46, <5.3.0, >4.3.0 <= 4.3.30

Oct 21, 2025

Medium

Spring

Spring Framework

Privilege Abuse

>=5.3.0 <=5.3.44, >=6.0.0 <=6.0.29, >=6.1.0 <6.1.23, >=6.2.0 <6.2.11

Sep 22, 2025

Critical

Spring

Spring Cloud Gateway

Incorrectly Configured Access Control

>=3.1.0 <=3.1.9, >=4.0.0 <=4.0.9, >=4.1.0 <=4.1.9, >=4.2.0 <4.2.5, >=4.3.0 <4.3.1

Sep 10, 2025

Medium

Spring

Spring Framework

Path Traversal

>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.43, >=6.0.0 <=6.0.29, >=6.1.0 <=6.1.21, >=6.2.0 <=6.2.9

Aug 18, 2025

High

Spring

Spring Cloud Gateway

HTTP Request Smuggling

<=3.1.10, >= 4.0.0 <= 4.0.10, >=4.1.0 <4.1.8, >=4.2.0 <4.2.3, >4.3.0-{M1, M2, RC1} < 4.3.0

Jun 2, 2025

Low

Spring

Spring Framework

Authorization Bypass

>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.42, >=6.0.0 <=6.0.27, >=6.1.0 <6.1.20, >=6.2.0 <6.2.7

May 15, 2025

High

Spring

Spring Security

Authorization Bypass

>=5.7.0 <5.7.12, >=5.8.0 <5.8.11, >=6.0.0 <6.0.10, >=6.1.0 <6.1.8, >=6.2.0 <6.2.3

May 8, 2025

Medium

Spring

Spring Boot

Incorrectly Configured Access Control

<2.7.0, >=2.7.0 <2.7.25, >=3.1.0 <3.1.16, >=3.2.0 <3.2.14, >=3.3.0 <3.3.11, >=3.4.0 <3.4.5

Apr 25, 2025

Medium

Spring

Spring Security

Information Exposure

=5.7.16, =5.8.18, =6.0.16, =6.1.14, =6.2.10, =6.3.8, =6.4.4

Apr 22, 2025

Medium

Spring

Spring Cloud Config

Authorization Bypass

>=2.2.0 <=2.2.8, >=3.0.0 <=3.0.7, >=3.1.0 <3.1.10, >=4.0.0 <=4.0.5, >=4.1.0 <4.1.6, >=4.2.0 <4.2.1

Apr 10, 2025

Featured Whitepaper

Deep-dive reports and technical briefings on migration, risk, and long-term Spring strategy.

Java in 2025:
Navigating Migration, Security, and Long-Term Risk

The question for CIOs, CISOs, and engineering leaders is no longer whether to continue relying on Java. It is how to migrate safely between LTS versions, reduce exposure in legacy environments, and implement governance frameworks that withstand regulatory scrutiny.This white paper provides detailed analysis of migration realities, real-world breach lessons, supply-chain risk, and the economic, regulatory, and vendor dynamics shaping enterprise decisions in 2025.

Read White Paper

Java in 2025 - whitepaper thumbnail

Ready to Eliminate EOL Risk?

Start scanning your codebase today. Identify every end-of-life package in minutes, not hours.

Start Free Scan

End-of-Life Dataset results

CVEs Explained

Go under the hood of major Spring CVEs as our team dissects the exploit, explains the patch, and shows you how to defend your stack.

CVE-2025-48976 thumbnail

Denial of Service

Project Affected:

Apache Commons Fileupload in Struts

>=2.0.0-M1 <2.0.0-M

CVE-2025-46701 thumbnail

Project Affected:

Apache Tomcat in Apache Tomcat

>=9.0.0.M1 <9.0.105

>=10.1.0-M1 <10.1.41

>=11.0.0-M1 <11.0.7

CVE-2025-31651 thumbnail

Command Injection

Project Affected:

Apache Tomcat in Apache Tomcat

>=9.0.76 <9.0.104

>=10.1.10 <10.1.40

>=11.0.0-M2 <11.0.6

CVE-2025-48734 thumbnail

Remote Code Execution

Project Affected:

Apache Commons Beanutils in Struts

>=2.0.0-M1 <2.0.0-M2

Get Started

Thank you! Your submission has been received!

Please enter a company email.

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Preferences Reject Accept

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.