Spring Framework Releases Fixes for CVE-2024-38808 and CVE-2024-38809

The Spring Framework has released versions 5.3.39, 6.0.23, and 6.1.12 that contain fixes for CVE-2024-38809, DoS via conditional HTTP requests.

The 5.3.39 release contains an additional fix for CVE-2024-38808, DoS via SpEL expression.

Note that version 5.3.39 has fixes for both CVEs. Version 5.3.38 was released earlier on the same day, and it contains the fix for CVE-2024-38809 but not CVE-2024-38808.

Upgrading Your Project

Commercial customers using Spring Boot 2.7, 3.0, or 3.1 can make use of Spring Boot Hotfix releases 2.7.21.1, 3.0.16.1, and 3.1.12.1. Releases are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription.

Upgrading Your Project

Related Articles

Spring Session 3.3.2 and 3.2.5 are available now

Spring Security 6.4.0-M2 is available now

Spring Session 3.4.0-M2 is available now

This Week in Spring - August 20th, 2024

Spring AI with NVIDIA LLM API