Skip to content

fix(deps): update dependency org.springframework:spring-context to v6.2.7 [security]

Perun-GitLab Service Accountrequested to merge
renovate/maven-org.springframework-spring-context-vulnerability into main

This MR contains the following updates:

Package Type Update Change
org.springframework:spring-context dependencies patch 6.2.2 -> 6.2.7

Spring Framework DataBinder Case Sensitive Match Exception

CVE-2025-22233 / GHSA-4wp7-92pw-q264

More information

Details

CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.

Affected Spring Products and Versions

Spring Framework:

  • 6.2.0 - 6.2.6

  • 6.1.0 - 6.1.19

  • 6.0.0 - 6.0.27

  • 5.3.0 - 5.3.42

  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix Version  Availability
 6.2.x 6.2.7 OSS
6.1.x 6.1.20 OSS
6.0.x 6.0.28 Commercial https://enterprise.spring.io/
5.3.x 5.3.43 Commercial https://enterprise.spring.io/

No further mitigation steps are necessary.

Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.

For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.

Credit

This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.

Severity

  • CVSS Score: 3.1 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/MR:L/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

spring-projects/spring-framework (org.springframework:spring-context)

v6.2.7

New Features
  • Forward more methods to underlying InputStream in NonClosingInputStream #​34893
  • Introduce Spring property for the default property placeholder escape character #​34865
  • Close ApplicationContext once AOT processing has completed #​34841
  • Fix AbstractJackson2HttpMessageConverter#getObjectMappersForType nullness #​34811
  • Add option for case-insensitive match to PatternMatchUtils #​34801
  • RestClient @RequestBody parameters lose generic type information when creating HTTP service beans #​34793
  • Adds option to set Principal in MockServerWebExchange #​34789
🐞 Bug Fixes
  • Beans created by FactoryBean are not considered as autowiring candidates if another thread holds a singletonLock #​34902
  • PropertySourcesPlaceholderConfigurer placeholder resolution fails in several scenarios #​34861
  • HttpComponentsClientHttpRequestFactory setConnectionRequestTimeout not working with httpclient 5.3.1 #​34851
  • Fragment.create() requires mutable map - which is unusable when used with Kotlin #​34848
  • Duplicate BeanOverrideHandler discovered in @Nested test case with superclass from different class or in interface implemented multiple times #​34844
  • Accidental ClassLoader defineClass enforcement after #​34677 #​34824
  • HttpEntity.EMPTY headers should not be possible to mutate via HttpHeaders constructor #​34812
  • AbstractFileResolvingResource.exists incorrectly reports result for resources inside of spring-boot executable jar #​34796
  • Correctly expand query param with same name from URI variables array #​34783
  • R2DBC NamedParameterUtils only expands reused collection parameter once #​34768
  • PathMatchingResourcePatternResolver wrongly assumes that target/classes always exists #​34764
📔 Documentation
  • Clarify CompositePropertySource behavior for EnumerablePropertySource contract #​34886
  • Javadoc and @Nullable annotation for servletContext parameter of ConfigurableWebEnvironment.initPropertySources are contradictory #​34845
  • Spring MVC: @EnableAsync needs to be redeclared for each ApplicationContext #​34843
  • Provide a working example instead of unclear placeholders #​34828
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Artur-, @​blake-bauman, @​iifawzi, @​kilink, @​quaff, @​whlit, and @​zzoe2346

v6.2.6

New Features
  • An option for SimpleAsyncTaskExecutor to throw an exception when limit is reached #​34727
  • Provide first-class support for Bean Overrides with @ContextHierarchy #​34723
  • Micro performance optimizations #​34717
  • Suppress "Unable to rollback against JDBC Connection" in case of timeout (connection closed) #​34714
  • Avoid early FactoryBean instantiation for type-based retrieval with includeNonSingletons=false and allowEagerInit=true #​34710
  • ReactiveCachingHandler still not using error handler on sync cache. #​34708
  • Add an exchangeForRequiredValue variant to RestClient #​34692
  • Recursively boxing Kotlin nested value classes in CoroutinesUtils #​34682
  • ServletServerHttpRequest does not use charset parameter of application/x-www-form-urlencoded #​34675
  • LifecycleGroup concurrent start and start timeout #​34634
  • HibernateJpaDialect exception translation misses concrete exceptions wrapped in Hibernate's ExecutionException #​34633
🐞 Bug Fixes
  • Inconsistency in SseEmitter.onCompletion() behavior between Spring 6.2.3 and 6.2.5 #​34762
  • Deadlock while creating Spring beans with parallel bootstrap threads on IBM Liberty #​34729
  • PropertyBatchUpdateException: causes of nested PropertyAccessExceptions not shown in output #​34691
  • IllegalAccessError for package-private member of AzureStorageConfiguration on WebSphere #​34684
  • Change in Jar usecache behavior with Spring 6.1.x causing java.lang.IllegalStateException: zip file closed #​34678
  • Startup performance regression due to CGLIB class load attempts in Spring 6.1.x #​34677
  • An infinite wait on a parallel context.getBean() #​34672
  • InvalidObservationException: Invalid start: Observation 'http.client.requests' has already been started #​34671
  • @Configuration classes can no longer be abstract without @Bean methods #​34663
  • Generated-code for LinkedHashMap is missing static keyword #​34659
  • Detect late-set primary markers for autowiring shortcut algorithm #​34658
  • @MockitoBean with custom @Qualifier is not injected into @Configuration class #​34646
  • Qualifier Resolution Issue in Parent-Child Context Hierarchies #​34644
  • Enforced container-level acknowledge call for custom acknowledgement mode #​34635
  • UriComponentsBuilder does not treat a URN as opaque if it contains a slash #​34588
  • Migrating from Spring 6.1.x to 6.2.x leads to exceptions in a Pekko setup #​34303
📔 Documentation
  • Update Javadoc for ignoreDependencyInterface() in AbstractAutowireCapableBeanFactory #​34747
  • Update Javadoc to stop mentioning 5.3.x as the status quo #​34740
  • Fix broken link for Server-Sent Events #​34705
  • Fix typo in Bean Validation section of reference manual #​34686
  • Remove unnecessary closing curly brackets in Javadoc #​34679
  • Add javadoc notes on potential exception suppression in ListableBeanFactory#getBeansOfType #​34629
  • Remove remaining references to Forwarded headers in MvcUriComponentsBuilder #​34625
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​acktsap, @​dmitrysulman, @​iggzq, @​izeye, @​ngocnhan-tran1996, @​obourgain, and @​tobias-haenel

v6.2.5

New Features
  • Make dependencies on AssertJ and JUnit in spring-core-test optional #​34612
  • Suggest compilation with -parameters when AspectJAdviceParameterNameDiscoverer fails against ambiguity #​34609
  • SseBuilder in ServerResponse should allow empty comment #​34608
  • MockServerWebExchange does not allow setting the ApplicationContext on the base class #​34601
  • FormHttpMessageConverter should throw HttpMessageNotReadableException when the http form data is invalid #​34594
  • Provide a method to retrieve all singleton autowire candidates from the bean factory #​34591
🐞 Bug Fixes
  • PathMatchingResourcePatternResolver regression for jar root scanning in 6.2.4 #​34607
  • AbstractReactiveTransactionManager throws IllegalStateException when rollback fails after commit attempt #​34595
  • Recursively boxing/unboxing nested inline value classes #​34592
📔 Documentation
  • MvcUriComponentsBuilder javadocs inaccurately reflects usage of forwarded headers #​34615
  • Fix formatting and update links to scripting libraries and HDIV #​34603
  • Remove dubious link to MockObjects Web site in reference manual #​34593
  • Fix StringUtils#uriDecode Javadoc #​34590
🔨 Dependency Upgrades
  • Upgrade to ASM 9.8 (for early Java 25 support) #​34600
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Helmsdown, @​dmitrysulman, and @​ngocnhan-tran1996

v6.2.4

New Features

  • JettyCoreHttpHandlerAdapter compatibility with Jetty 12.0.17 #​34561
  • HandlerMethodValidationException.Visitor should support RequestBody with method parameter constraints #​34549
  • Allow ContentResultMatchersDsl matchers for supertypes of the checked type #​34542
  • Avoid JarURLConnection resource leak in AbstractFileResolvingResource.exists() #​34528
  • Deprecate rowsExpected property of SqlQuery for removal #​34526
  • Supply RuntimeHints to an AotContextLoader #​34513
  • Deprecate and remove use of UrlPathHelper in ServletWebSocketHandlerRegistry #​34508
  • Avoid unnecessary CGLIB processing on configuration classes #​34486
  • Inconsistent default class loaders in hint classes #​34470
  • Add missing converters to DefaultRestClientBuilder #​34439
  • Improve BeanFactory/ObjectProvider to select the only one default candidate among non-default candidates #​34432

🐞 Bug Fixes

  • MockCookie.parse() fails to parse custom attribute with a value #​34575
  • BeanNotOfRequiredTypeException if @Bean factory method returns null #​34543
  • Regression in 6.2.3: No unique bean available for injection point with unresolvable generics #​34541
  • GenericConversionService cannot find a converter when converting to a Kotlin list of maps #​34535
  • isClientDisconnectedException needs to protect against null input #​34533
  • spring boot 3.4.3 + TimedAspect causes thread to hang #​34522
  • Missing Partitioned cookie support in reactive HTTP clients #​34521
  • DefaultManagedTaskExecutor throws java.lang.UnsupportedOperationException: isShutdown when rejecting tasks #​34514
  • FileSystemResource location does not end with slash for RouterFunction check #​34509
  • AbstractJackson2HttpMessageConverter not resolving generic type for request body since 6.2.3 #​34504
  • Request param handling in HttpRequestValues overrides existing URI variables with same name #​34499
  • MockHttpServletResponse - handle multiple values for Content-Language header #​34488
  • Endless loop with DataSourceUtils in spring-jdbc #​34484
  • MockHttpServletResponse#setHeader does not remove header for null values #​34464
  • ContentCachingResponseWrapper.setHeader does not handle null value properly. #​34460
  • Component scan fails to find bean candidates in the embedded jar file in META-INF/context.xml for embedded Tomcat application #​34446
  • 6.2.0 broke with "Could not register object [@someHash] under bean name 'blabla': there is already object [@sameHash] bound" #​34427
  • 503 status code after completing SseEmitter in onTimeout #​34426
  • NullPointerException thrown when ConfigurationClassEnhancer creates CGLIB proxy #​34423
  • Add onRequest() hook for propagating request from downstream #​34388
  • Content-Type response header duplicated for failed StreamingResponseBody return value #​34366
  • Task scheduler configured by XML is not eligible for getting processed by all BeanPostProcessors #​34015

📔 Documentation

  • Fix typo in Spring MVC error responses documentation #​34552
  • Document that Spring Framework 6.x does not yet support JSpecify annotations #​34551
  • Fix web and webflux reference links #​34517
  • Document default KeyGenerator in spring-cache XSD #​34468
  • Fix broken antora task #​34454
  • Add @since tag for formField() and formFields in MockHttpServletRequestDsl #​34448
  • Improve Javadoc of ObjectProvider to clarify what is unique #​34447
  • rest-http-interface example code can't run #​34443
  • Add Javadoc since for HandlerMethod(HandlerMethod, Object, boolean) #​34431
  • Document wrapping behavior of TestExecutionListener callbacks #​34422
  • Cross reference annotation search APIs in Javadoc #​34421

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​chenggangpro, @​dark2momo, @​dmitrysulman, @​izeye, @​ngocnhan-tran1996, @​pankratz76, @​quaff, @​ryanprayogo, and @​vpavic

v6.2.3

New Features

  • Add form fields to MockMvc Kotlin DSL #​34412
  • Make ProblemDetail implement Serializable #​34409
  • Support @MockitoSpyBean at the type level on test classes #​34408
  • Expose order values of TestExecutionListener implementations as constants #​34404
  • ContentDisposition should match attributes in a case-insensitive fashion #​34383
  • Provide access to servletPath in ServletRequestPathUtils #​34379
  • Use ConversionService to convert POJO to array for SpEL varargs invocations #​34371
  • Provide a more actionable CGLIB error message with native #​34370
  • Wrap disconnected client exceptions as AsyncRequestNotUsableException in Servlet container onError callback #​34363
  • Support RFC 8441 WebSocket upgrade with HTTP/2 CONNECT #​34362
  • Optimize default property editor allocations for bean instance creation #​34361
  • Continue with pre-instantiation when current bean is in creation already #​34349
  • Allow filtering bean instances returned by ObjectProvider#stream() #​34318
  • GenericConversionService finds wrong converter for partially unresolvable generic types #​34298
  • Avoid re-creating HandlerMethod unless handler is resolved through the BeanFactory #​34277
  • UrlResource should leniently handle HTTP endpoints which do not support HEAD #​34217
  • Add API counterpart for handling Fallback and 'defaultCandidate=false' beans #​34203
  • Add support for multidimensional arrays #​34183
  • Add getters to ServerResponseResultHandler #​34066
  • Improve diagnostics when a Bean Override cannot be selected by type #​34006
  • Expression performance regression due to missing annotation types on context classes #​33948

🐞 Bug Fixes

  • PathMatchingResourcePatternResolver failing against non-jar file in classpath #​34417
  • GenericTypeResolver Since 6.2.0, generics cannot be obtained correctly in multi-layer interface inheritance (possible regression of #​24963) #​34386
  • Test Bean Overrides honor fallback qualifier instead of @Primary semantics #​34374
  • HTTP interface client raises IllegalArgumentException if query param name contains a colon #​34364
  • Quartz-style Nth Day of Week cron expressions can overflow to other month #​34360
  • Component scan fails to find jar entries in WEB-INF/classes with embedded Tomcat #​34348
  • Check hasNext when when accessing sessionIds from UserDestinationResult #​34333
  • Property binding to Map that implements Iterable no longer works #​34332
  • GenericTypeResolver returns EmptyType #​34328
  • Duplicate BeanOverrideHandler discovered in @Nested test class hierarchy when upgrading to Spring 6.2.2 #​34324
  • AnnotationBeanNameGenerator issues warning about explicitly aliased value attribute #​34317
  • Stop assuming that AspectJ Advice has JoinPoint as the first argument #​34316
  • Constructor binding fails for simple types List/Map/Array and for nested container combinations #​34305
  • Change in BeanFactoryUtils.beanNamesForTypeIncludingAncestors() Behavior in Spring Framework 6.2.x causing ClassCastExceptions #​34300
  • Data binding does not filter HTTP headers for constructor binding #​34292
  • Escaped character in nested placeholder not detected properly and leads to invalid parts #​34289
  • ReflectJvmMapping.getKotlinFunction returns null for Kotlin properties #​34284
  • ConfigurationClassEnhancer should explicitly set custom ClassLoader on CGLIB Enhancer (aligned with CglibAopProxy) #​34274
  • Connection reset exception from RestTemplate call in Spring Web MVC controller is ignored #​34264
  • AsyncExecution fails to detect the return type of an annotated method from an interface with a generic #​33957
  • Ensure Locale context is available for WebFlux method validation #​33810

📔 Documentation

  • Fix reference to ApplicationContext#getAutowireCapableBeanFactory in reference documentation #​34400
  • Clarify component scanning of abstract classes with @Lookup methods #​34367
  • Minor update in WebSocket STOMP reference documentation #​34353
  • Clarify documentation on the usage of RestClient in POST scenarios without response body #​34334
  • Document limitation around the port of localAddress in StandardWebSocketSession #​34304
  • Fix Javadoc for field reflection hints #​34297
  • Improve Javadoc for SpringProperties.getFlag() #​34295
  • Link to current AspectJ Javadoc #​34293
  • Update Javadoc for SimpleCommandLinePropertySource #​34282
  • Update RestClientException Javadoc to refer to RestClient #​34270
  • Document order values for TestExecutionListener implementations #​34265
  • Document custom HttpServiceArgumentResolver usage #​34227

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​JoshuaChen, @​Puppy4C, @​anaconda875, @​brandenclark, @​canattofilipe, @​dobrosi, @​izeye, @​jazdw, @​khoutz182, @​kwondh5217, @​pirocraft, @​quaff, @​remeio, and @​tarekmues

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports