Spring Boot 4.0.6: 65 Fixes and Eight Critical CVEs Patched
Spring Boot 4.0.6 is now available on Maven Central, delivering 65 bug fixes and dependency upgrades alongside a focused set of security patches that the Spring team is urging all users to apply promptly.
The security headline is the closure of eight CVEs. Among the most significant: a TLS hostname verification bypass that could allow a man-in-the-middle attack under specific SSL configuration; a timing attack vulnerability in the Spring Boot DevTools hot-reload path that could leak information about running application state; and an authorization gap in Actuator security filters that could permit unauthorized access to management endpoints when custom security configurations were combined with Actuator's default filter chain. A symlink-following risk during PID file operations at startup—relevant in containerised deployments where the PID file path is shared or writable by multiple processes—rounds out the higher-severity fixes.
Beyond security, the release addresses a collection of correctness and stability regressions reported against the 4.0.x line. Dependency upgrades across the bill of materials bring transitive library versions in line with their latest patch releases, reducing exposure to vulnerabilities in indirect dependencies. The Spring team has also merged fixes targeting edge cases in auto-configuration for several commonly used integrations.
Teams running Spring Boot 4.0.x in production should treat this as a mandatory update given the CVE surface area. For teams still on 3.5.x, a corresponding patch release (3.5.14) was made available on the same date covering equivalent fixes against that supported branch.
Read more — Spring
Links & Sources
You May Also Enjoy
