Skip to content

fix(deps): update spring.version to v6 [security]#1506

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/major-spring.version
Open

fix(deps): update spring.version to v6 [security]#1506
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/major-spring.version

Conversation

@renovate

@renovate renovate Bot commented May 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
org.springframework:spring-webmvc 5.3.396.0.0 age confidence
org.springframework:spring-web 5.3.396.0.0 age confidence

Spring MVC controller vulnerable to a DoS attack

CVE-2024-38828 / GHSA-w3c8-7r8f-9jp8

More information

Details

Spring MVC controller methods with an @​RequestBody byte[] method parameter are vulnerable to a DoS attack.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Pivotal Spring Framework contains unsafe Java deserialization methods

CVE-2016-1000027 / GHSA-4wrc-f8pq-fpqp

More information

Details

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

spring-projects/spring-framework (org.springframework:spring-webmvc)

v6.0.0

Compare Source

See What's New in Spring Framework 6.x and Upgrading to Spring Framework 6.x for upgrade instructions and details of new features.

⭐ New Features
  • Avoid direct URL construction and URL equality checks #​29486
  • Simplify creating RFC 7807 responses from functional endpoints #​29462
  • Allow test classes to provide runtime hints via declarative mechanisms #​29455
📔 Documentation
  • Align javadoc of DefaultParameterNameDiscoverer with its behavior #​29494
  • Document AOT support in the TestContext framework #​29482
  • Document Ahead of Time processing in the reference guide #​29350
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ophiuhus and @​wilkinsona

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the renovate label May 14, 2026
@socket-security

socket-security Bot commented May 14, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedorg.springframework/​spring-webmvc@​5.3.39 ⏵ 6.0.03625 -4790100100
Updatedorg.springframework/​spring-beans@​5.3.39 ⏵ 6.0.03610090100100
Updatedorg.springframework/​spring-context-support@​5.3.39 ⏵ 6.0.03610090100100
Updatedorg.springframework/​spring-context@​5.3.39 ⏵ 6.0.0369890100100
Updatedorg.springframework/​spring-core@​5.3.39 ⏵ 6.0.0368590100100
Updatedorg.springframework/​spring-web@​5.3.39 ⏵ 6.0.03670 +4590100100

View full report

@socket-security

socket-security Bot commented May 14, 2026
edited
Loading

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch in maven org.springframework:spring-webmvc

CVE: GHSA-7phw-cxx7-q9vq Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch (CRITICAL)

Affected versions: >= 6.0.0 < 6.0.7; >= 5.3.0 < 5.3.26

Patched version: 6.0.7

From: pom.xmlmaven/org.springframework/spring-webmvc@6.0.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.springframework/spring-webmvc@6.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot force-pushed the renovate/major-spring.version branch from 199aab0 to f3d760a Compare June 1, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants