There was a flurry of activity in the Spring ecosystem during the week of September 15th, 2025, highlighting third milestone releases of Spring Boot, Spring Security, Spring for GraphQL, Spring Integration, Spring Modulith, Spring REST Docs, Spring Batch and Spring for Apache Pulsar. There were also resolutions to CVEs in Spring Framework and Spring Security.
Spring Boot
The third milestone release of Spring Boot 4.0.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: a refactor of the PropertyMapper class so that calls to adapter or predicate methods are no longer made by default if the source value is null; and a replacement of the @OptionalParameter annotation on optional actuator endpoint parameters with the @Nullable annotation provided by JSpecify. More details on this release, including breaking changes, may be found in the release notes and wiki page.
Spring Framework
The Spring Framework team has disclosed CVE-2025-41249, Spring Framework Annotation Detection Vulnerability, a vulnerability where the Spring Framework annotation detection mechanism “may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics.” This CVE, affecting versions 6.2.0 – 6.2.10, 6.1.0 – 6.1.22 and 5.3.0 – 5.3.44, is only applicable for applications using the Spring Security @EnableMethodSecurity annotation.
Spring Cloud
The second milestone release of Spring Cloud 2025.1.0, codenamed Oakwood, features bug fixes and notable updates to the respective 5.0.0-M2 versions of sub-projects: Spring Cloud Kubernetes; Spring Cloud Function; Spring Cloud Stream; and Spring Cloud Circuit Breaker. Spring Cloud 2025.1.0-M2 is compatible with Spring Boot 4.0.0-M2. Further details on this release may be found in the release notes.
Spring Security
The third milestone release of Spring Security 7.0.0 ships with bug fixes, dependency upgrades and new features such as: a new OneTimeTokenAuthentication class to only handle authenticated users to allow for the existing OneTimeTokenAuthenticationToken class to only handle unauthenticated users; and new AuthorizationManagerFactory interface to allow for creating custom instances of the AuthorizationManager interface. More details on this release, including breaking changes, may be found in the release notes.
The Spring Security team has disclosed CVE-2025-41248, Spring Security Authorization Bypass for Method Security Annotations on Parameterized Types, a vulnerability, similar to the aforementioned CVE-2025-41249, where the Spring Security annotation detection mechanism “may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics.” This may result in an authorization bypass if using the @PreAuthorize or other method security annotations. This CVE, affecting versions 6.4.0 – 6.4.10 and 6.5.0 – 6.5.4, is only applicable for applications using the @EnableMethodSecurity annotation.
Spring Authorization Server
The Spring Security team has announced that the Spring Authorization Server project will be moving to Spring Security. Joe Grandja, Principal Software Engineer at VMware Tanzu and Spring Security committer, stated:
[Spring Authorization Server] has reached that point of maturity and stability and we believe the time is now to move it to Spring Security 7.0. The main benefit this will provide our users is a streamlined developer experience.
The team has ensured developers that impact on this move will be minimal.
Spring for GraphQL
The third milestone release of Spring for GraphQL 2.0.0 provides improvements in documentation, dependency upgrades and new features such as: the addition of schema inspection to check for correct nullness within Kotlin applications using JSpecify annotations; and improved support for request cancellation with the new implementation delivered by GraphQL Java 25. Further details on this release may be found in the release notes and wiki page.
Spring Integration
The third milestone release of Spring Integration 7.0.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: the AbstractPersistentAcceptOnceFileListFilter class can now remotely handle full filenames from within the MetadataStore interface if the same filename is used from different directories; and a removal of the Spring Retry project, now in maintenance-only mode, that will be replaced with the Spring Framework 7.0 core Spring resilience features. More details on this release may be found in the release notes.
Spring Modulith
The third milestone release of Spring Modulith 2.0.0 ships with dependency upgrades and new features such as: a refactoring of the event publication lifecycle to support the Jakarta Persistence specification; and support for Jackson 3.0-based event serialization and Apache Kafka event externalization. Further details on this release may be found in the release notes.
Spring REST Docs
The third milestone release of Spring REST Docs 4.0.0 provides upgrades to Spring Framework 7.0.0-M9 and Jackson 3.0.0-RC9. More details on this release may be found in the release notes.
Spring AI
The release of Spring AI 1.0.2 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: support for GPT-5 models from OpenAI; similarity searches from the MariaDBVectorStore class now provides a score value to complement the existing distance value within the resulting metadata; and objects from the BeanOutputConverter class now enables a proper generated JSON schema for Kotlin data classes and objects. Further details on this release may be found in the release notes.
Spring Batch
The third milestone release of Spring Batch 6.0.0 provides bug fixes, dependency upgrades and new features such as: the ability to trace job executions with JDK Flight Recorder; and a conversion of the Job and Step interfaces to functional interfaces so that they may be used as an assignment target for a lambda expression or method reference. More details on this release may be found in the release notes.
Spring AMQP
The fifth milestone release of Spring AMQP 4.0.0 ships with bug fixes, dependency upgrades and two new features: replace the use of Spring Retry with the Spring Framework 7.0 core Spring resilience features; and the ability to throw an InterruptedException upon unexpected or improper shutdown of custom Java Consumer interface beans. Further details on this release may be found in the release notes.
Spring for Apache Kafka
The fifth milestone release of Spring for Apache Kafka 4.0.0 delivers one bug fixe, improvements in documentation, dependency upgrades and two new features: the ability to configure the CompositeBatchInterceptor class on the AbstractMessageListenerContainer class to complement the same as for the CompositeRecordInterceptor class; and replace the use of Spring Retry with the Spring Framework 7.0 core Spring resilience features. More details on this release may be found in the release notes.
Spring for Apache Pulsar
The third milestone release of Spring for Apache Pulsar 2.0.0 provides dependency upgrades and one new feature that now allows defining the value of the topicPattern parameter, defined in the @PulsarListener annotation, without requiring the fully-qualified topic name. Further details on this release may be found in the release notes.
