EOL Software
Jul 3, 2026

Bootstrap End of Life Dates: Bootstrap 2, 3, 4, and 5 (2026 Guide)

A complete reference for every Bootstrap major version, its release timeline, end-of-life date, and the CVEs still actively affecting unsupported releases.

Give me the TL;DR
Bootstrap End of Life Dates: Bootstrap 2, 3, 4, and 5 (2026 Guide)
For Qualys admins, NES for .NET directly resolves the EOL/Obsolete Software:   Microsoft .NET Version 6 Detected vulnerability, ensuring your systems remain secure and compliant. Fill out the form to get pricing details and learn more.

Bootstrap is the most widely deployed front-end framework on the web. According to BuiltWith, Bootstrap ranks as the most popular technology among design frameworks across the internet, and W3Techs reports that Bootstrap is used by roughly 19% of all websites. Bootstrap 3 alone has been downloaded from npm millions of times per month even years after reaching end of life, and as of March 2024, more than half of all monthly Bootstrap npm downloads (over 2.4 million) were for versions 3 or 4, both of which are no longer maintained by the Bootstrap team.

That gap (between what teams are running and what the Bootstrap project supports) is where the security and compliance risk lives. This guide covers every Bootstrap major version (2, 3, 4, and 5), the exact dates each reached end of life, the CVEs that have been disclosed against the unsupported versions, and the support options available for teams that cannot migrate to Bootstrap 5 right now. It also covers bootstrap-sass, the Ruby and Sass-based port of Bootstrap 3 that is widely used in Rails and other Sass-based applications.

Bootstrap Version Quick Reference

How Bootstrap's Support Policy Works

Bootstrap's release working group manages the lifecycle of each major version through three phases:

  1. Active development. New releases land from the main branch on the current major version. Features, bug fixes, security patches, and documentation updates ship regularly.
  2. Long-Term Support (LTS). When a major version is ready to retire, it is frozen and forked into an LTS branch. The main branch then begins work on the next major. During LTS, the version continues to receive bug fixes, security updates, and documentation updates, but no new features.
  3. Maintenance (Critical Support). After a determined period in LTS, the version is deep-frozen. Only critical bug fixes, critical security updates, and important documentation updates are made, with minimal release frequency.
  4. End of Life. After Maintenance ends, the version receives no further updates, no security patches, and no documentation updates from the Bootstrap team. The code remains available on npm, NuGet, RubyGems, Composer, and the GitHub repository, but it is frozen.

This is the structure that has governed Bootstrap 3 (EOL July 24, 2019) and Bootstrap 4 (EOL January 1, 2023). Bootstrap 5 is currently in Active LTS and is the only major version receiving updates from the Bootstrap project today.

Bootstrap 5.x: Currently Supported

Bootstrap 5 was released on May 5, 2021. It introduced a major architectural shift: jQuery was removed as a dependency, the JavaScript was rewritten in vanilla ES modules, CSS custom properties (variables) replaced many Sass-only customization points, and Internet Explorer support was dropped entirely.

The latest stable release is Bootstrap 5.3.8, shipped on August 25, 2025. According to the Bootstrap team, 5.3.8 is expected to be the last patch release on the 5.3 line before Bootstrap 5.4 ships. It includes a revert of a dropdown focus bug, CSS adjustments to bring the color-contrast() function in line with WCAG 2.1, a fix for spinner distortion inside flex containers, and the start of the Bootstrap Themes site being sunset.

The Bootstrap team has not announced an end-of-life date for Bootstrap 5. Based on the 4.x and 3.x precedent, teams should expect an LTS-to-Maintenance-to-EOL transition once a future Bootstrap 6 is released, but no timeline has been published.

Bootstrap 5 Recent Patch Releases

  • 5.3.8 (Aug 25, 2025): Dropdown focus revert, CSS contrast updates, docs cleanup. Expected to be the last 5.3.x patch.
  • 5.3.7 (Jun 17, 2025)
  • 5.3.6 (May 5, 2025)
  • 5.3.5 (Apr 4, 2025)
  • 5.3.4 (Apr 3, 2025)
  • 5.3.3 (Feb 20, 2024): Fixed a breaking change introduced in 5.3.2 around color modes and variables-dark.scss imports.

Bootstrap 4.x End of Life: January 1, 2023

Bootstrap 4 was released on January 18, 2018 after a long beta cycle. It introduced flexbox-based grid layouts, ES6 modules, the card component, and a switch from Less to Sass. Active support ended on November 1, 2021, and Bootstrap 4 officially reached end of life on January 1, 2023.

The last release on the 4.x line is Bootstrap 4.6.2, published on July 19, 2022. It is the final release that will ever be made on this branch by the Bootstrap team.

Bootstrap 4 Active CVEs Without Official Patches

Two CVEs have been raised against Bootstrap 4 after its EOL date that scanners commonly surface in security audits:

CVE-2024-6531: Bootstrap 4 Carousel XSS via href Attribute

A cross-site scripting vulnerability in the Bootstrap 4 Carousel component. When an anchor element is used for carousel navigation with a data-slide or data-slide-to attribute and contains an href value, that href is not properly sanitized before being evaluated. Improper extraction of the target carousel's #id from the href attribute can lead to cases where preventDefault() is not applied and the href value is executed, enabling arbitrary JavaScript execution in the victim's browser.

  • Affected versions: Bootstrap 4.0.0 through 4.6.2
  • Bootstrap project status: Advisory withdrawn (Bootstrap's JavaScript is not intended to sanitize unsafe HTML, so the project considers this out of scope)
  • Scanner status: Still flagged by Tenable, IBM X-Force, Snyk, Aqua Security, and other commercial vulnerability scanners
  • HeroDevs patch: Available in bootstrap@4.6.2-bootstrap-4.6.4, which properly sanitizes href attributes before evaluation. See CVE-2024-6531 in the HeroDevs Vulnerability Directory.

CVE-2018-14040: Bootstrap Collapse data-parent XSS

A cross-site scripting vulnerability in the Bootstrap Collapse component caused by improper handling of the data-parent attribute, which is processed without validation or sanitization before being used as a jQuery selector. This was patched in Bootstrap 4.1.2 and Bootstrap 3.4.0, but it remains unpatched in Bootstrap 2 and in any application still on a pre-4.1.2 release of Bootstrap 4. CVSS 6.1 (Medium). See CVE-2018-14040 in the HeroDevs Vulnerability Directory.

For a deeper look at how HeroDevs has addressed the post-EOL Bootstrap 4 CVEs, see the HeroDevs blog post on three Bootstrap CVEs disclosed in July 2024.

Bootstrap 3.x End of Life: July 24, 2019

Bootstrap 3 was released on August 19, 2013 and was the version that cemented Bootstrap's place as the dominant front-end framework. It introduced the mobile-first responsive grid, the flat design language, and the icon-font-based Glyphicons set. Active support ended on September 5, 2016 with Bootstrap 4 entering beta, and Bootstrap 3 officially reached end of life on July 24, 2019.

The final release on the 3.x line is Bootstrap 3.4.1, published on February 13, 2019. It included security patches for XSS vulnerabilities discovered in v3.4.0 and was the last update the Bootstrap team will publish for this major version.

Bootstrap 3.4.1 Vulnerabilities and Active CVEs

Despite being the last patched release of the 3.x line, Bootstrap 3.4.1 itself has accumulated several known vulnerabilities that have no official upstream patch.

CVE-2024-6485: Bootstrap 3 Button Plugin XSS via data-loading-text

A cross-site scripting vulnerability in the Bootstrap 3 Button plugin. The Button.prototype.setState function reads data-*-text attributes (such as data-loading-text and data-complete-text) and inserts their values into the button's HTML using jQuery's .html() method without sanitization. Any markup or script in those attribute values is rendered and executed when the button enters the corresponding state.

CVE-2025-1647: Bootstrap 3 Popover and Tooltip XSS

A cross-site scripting vulnerability in the Bootstrap 3 Popover and Tooltip components. Unsanitized HTML can be passed through the popover and tooltip configuration options, allowing arbitrary script execution.

CVE-2018-14040: Collapse data-parent XSS (also affects Bootstrap 3)

The same Collapse data-parent XSS that affects Bootstrap 4 also affects Bootstrap 3 versions prior to 3.4.0. Bootstrap 3.4.0 and later have the official fix.

Bootstrap 2.x End of Life: August 19, 2013

Bootstrap 2 was released on January 31, 2012 and is by a wide margin the oldest major version of the framework still in active use in legacy applications. It introduced the 12-column responsive grid, expanded the JavaScript plugin library, and was the first version to be widely adopted across enterprise applications. The final release is Bootstrap 2.3.2, published on July 26, 2013. Active support ended on August 19, 2013, the same day Bootstrap 3 was released, and the version has effectively been frozen since then.

Bootstrap 2 Active CVEs Without Official Patches

Because Bootstrap 2 reached EOL before most modern CVE reporting practices for front-end frameworks were established, several vulnerabilities have been disclosed against it that will never receive an official upstream fix:

Any application still running Bootstrap 2 in 2026 is operating with no upstream maintainer and a known set of XSS vectors. This is the highest-risk Bootstrap version still in production deployment.

Bootstrap-Sass End of Life and Support

bootstrap-sass is the official Sass-based port of Bootstrap 3, distributed as both an npm package and a Ruby gem. It is widely used in Ruby on Rails applications (via the bootstrap-sass gem), Sass-based Node build pipelines (via the npm package), and any project that needs Bootstrap 3 with Sass instead of Less.

Because bootstrap-sass tracks Bootstrap 3, it inherits Bootstrap 3's lifecycle. The last release on the official 3.4.x line is bootstrap-sass 3.4.3, and the project follows the same end-of-life status as Bootstrap 3 itself: EOL as of July 24, 2019. Any CVE that affects Bootstrap 3.4.1 also affects equivalent versions of bootstrap-sass.

Bootstrap-Sass NES from HeroDevs

HeroDevs ships extended support for bootstrap-sass as part of NES for Bootstrap. The full installation and version-selection guidance is documented at docs.herodevs.com/bootstrap-sass, but the key decision is which Sass compiler your project uses:

  • bootstrap-sass NES 3.4.1 (version string 3.4.1-bootstrap-sass-3.4.x): For projects using node-sass (LibSass). This is typical of older Node and Rails applications that have not migrated their Sass toolchain.
  • bootstrap-sass NES 3.4.3 (version string 3.4.3-bootstrap-sass-3.4.x): For projects using sass (Dart Sass), the actively maintained Sass compiler. This is the modern path for new and recently maintained applications.

You can identify which compiler your project uses by checking the dependencies or devDependencies block of package.json, or by running npm list node-sass sass in the project root. Both NES variants are available on npm and RubyGems and are protected under the same Never-Ending Support model as the core Bootstrap library.

For background on why bootstrap-sass carries the same risk profile as Bootstrap 3 itself, see the HeroDevs blog post on the hidden risks of Bootstrap-Sass.

HeroDevs Is the Official Bootstrap End-of-Life Support Partner

This matters for compliance documentation and procurement teams: HeroDevs is the named, official end-of-life support partner of Bootstrap. The Bootstrap project's own End of Life Status page for Bootstrap 4 directs teams to HeroDevs Never-Ending Support as the recommended option for organizations that cannot upgrade to Bootstrap 5. The endoflife.date Bootstrap page also lists HeroDevs as the commercial support provider for EOL versions.

The partnership is not a third-party badge. HeroDevs collaborates directly with Bootstrap's core team and principal contributors on NES for Bootstrap, which means patches are produced with input from the same maintainers who built the original library. NES for Bootstrap is positioned as a drop-in replacement, so applications can adopt the patched packages without code changes, and support begins the day Bootstrap's official OSS support ends, with no gap in patching between the last upstream release and the first NES release.

What Happens After Bootstrap Reaches End of Life

When a Bootstrap major version reaches EOL, three things change immediately for any team still running it:

  1. No more security patches. Any newly disclosed XSS, prototype pollution, or other client-side vulnerability against the EOL version will not receive an official fix from the Bootstrap team. CVE-2024-6485, CVE-2025-1647, CVE-2018-14040, CVE-2018-14042, and CVE-2019-8331 are concrete examples of this happening across Bootstrap 2, 3, and 4.
  2. Browser and dependency compatibility degrades. Bootstrap 3 and 4 both depend on jQuery, which itself has had multiple post-EOL CVEs. Browser updates can also break Bootstrap component behavior that was tested against now-obsolete browser builds. EOL Bootstrap versions are not tested against new browser releases.
  3. Compliance audits flag it. SOC 2, PCI DSS, HIPAA, FedRAMP, the EU Cyber Resilience Act, and most internal security policies require organizations to run supported software. Bootstrap 3 and 4 appearing in a software bill of materials (SBOM) typically triggers an audit finding, regardless of whether any specific CVE has been exploited.

For Bootstrap specifically, scanner detection of these CVEs is widespread: Qualys, Tenable, Snyk, GitHub Advisory Database, Red Hat security advisories, Debian LTS announcements, and IBM X-Force all index the Bootstrap 3 and 4 CVEs and will surface them on any application that has these versions in its dependency tree.

Options for Bootstrap Versions Past End of Life

If your application is on Bootstrap 2, 3, or 4, there are three realistic paths forward.

1. Upgrade to Bootstrap 5

This is the best long-term option for most teams. Bootstrap 5 is actively maintained, has a healthier dependency footprint (no jQuery), and offers a more modern CSS architecture built on custom properties. The trade-off is the work involved: Bootstrap 5 removed jQuery, restructured many components, updated the grid system, and introduced a utility-first approach that changes layout, spacing, and responsiveness across most pages. Custom themes and overrides built for Bootstrap 3 or 4 do not transfer cleanly because the variables, mixins, and customization model were redesigned. For most production applications, this is a multi-month refactor.

2. Migrate Away from Bootstrap Entirely

Some teams use an EOL event as the catalyst for a broader platform shift to Tailwind CSS, a custom design system, or a different component library. This is typically the most expensive option but can be the right call when the underlying application is already due for a UI overhaul.

3. Adopt Never-Ending Support (NES) for Bootstrap

For teams that cannot complete a Bootstrap 5 migration on a timeline that aligns with their compliance or security obligations, HeroDevs Never-Ending Support for Bootstrap provides a drop-in replacement for Bootstrap 2, 3, and 4 (including bootstrap-sass). NES for Bootstrap support begins the day the open-source version reaches EOL, with no gap in patching. A new NES release ships each time a security issue is identified, validated, and fixed. HeroDevs is the official EOL support partner of Bootstrap, which means the same maintainers who built the library are involved in the patches.

Quick Reference: Is My Bootstrap Version Supported?

Frequently Asked Questions

When did Bootstrap 3 reach end of life?

Bootstrap 3 reached end of life on July 24, 2019. The final release on the 3.x line is Bootstrap 3.4.1, published on February 13, 2019. No further security patches, bug fixes, or documentation updates have been issued by the Bootstrap team since then.

When did Bootstrap 4 reach end of life?

Bootstrap 4 reached end of life on January 1, 2023. The final release is Bootstrap 4.6.2, published on July 19, 2022. Active support for Bootstrap 4 ended on November 1, 2021, with the version remaining in critical-support mode until the January 2023 EOL date.

Is Bootstrap 3.4.1 still safe to use?

Bootstrap 3.4.1 is the last patched version of Bootstrap 3, but it is not free of known vulnerabilities. CVE-2024-6485 (XSS in the Button plugin) and CVE-2025-1647 (XSS in the Popover and Tooltip components) both affect Bootstrap 3.4.1, and no official patch will be issued because Bootstrap 3 is EOL. Applications running 3.4.1 in production should either upgrade to Bootstrap 5 or adopt NES for Bootstrap to receive patched versions.

Is Bootstrap 4.6.2 vulnerable?

Yes. CVE-2024-6531, an XSS vulnerability in the Bootstrap 4 Carousel component via unsanitized href attributes, affects all Bootstrap 4 versions including 4.6.2. The Bootstrap project withdrew the advisory on the grounds that sanitizing unsafe HTML is outside the project's stated security model, but commercial vulnerability scanners (Tenable, Snyk, IBM X-Force, Aqua Security) still flag the issue. CVE-2018-14040 also affects pre-4.1.2 releases of Bootstrap 4.

What is the latest version of Bootstrap?

The latest stable release of Bootstrap is 5.3.8, published on August 25, 2025. According to the Bootstrap team, this is expected to be the final patch release on the 5.3 line before Bootstrap 5.4 ships.

Is bootstrap-sass end of life?

Yes. bootstrap-sass tracks Bootstrap 3, which reached end of life on July 24, 2019. The last official release is bootstrap-sass 3.4.3 (for Dart Sass) and 3.4.1 (for node-sass/LibSass). HeroDevs provides Never-Ending Support for both compiler variants. The selection guide is at docs.herodevs.com/bootstrap-sass.

Does the official Bootstrap project recommend a commercial support provider for EOL versions?

Yes. The official Bootstrap End of Life Status page (getbootstrap.com/docs/4.6/end-of-life/) directs teams to HeroDevs Never-Ending Support as the recommended option for organizations that cannot upgrade to Bootstrap 5. The endoflife.date Bootstrap page lists HeroDevs as the commercial support provider for EOL versions of Bootstrap 2, 3, and 4.

Can I just stay on Bootstrap 3 or 4 indefinitely?

The library will continue to function on npm, NuGet, RubyGems, Composer, and the GitHub repository because it remains hosted. However, "the code still loads" is not the same as "the code is supported." Without ongoing patches, new CVEs against Bootstrap 3 and 4 (such as CVE-2024-6485 and CVE-2024-6531) will accumulate unpatched, scanner findings will pile up in audits, and downstream dependencies (jQuery, the host browser, build tooling) will continue to drift. Most organizations under SOC 2, PCI DSS, HIPAA, FedRAMP, or the EU CRA cannot stay on EOL software indefinitely without a documented support plan.

How does Never-Ending Support for Bootstrap work?

NES for Bootstrap is a drop-in replacement: you change the package version in package.json, composer.json, Gemfile, or your .csproj and continue running the same application code. HeroDevs ships a new NES release each time a security issue is identified, validated, and fixed. Support begins the day Bootstrap's OSS support ends, with no gap in patching between the last upstream release and the first NES release.

Taking Action

Bootstrap 3 has been end-of-life for over six years. Bootstrap 4 has been end-of-life for over three. The CVEs are real, the scanner findings are real, and the compliance pressure is increasing as frameworks like the EU Cyber Resilience Act move toward enforcement. The "do nothing" path means accumulating unpatched XSS vectors in production while audit findings stack up.

If your application is on Bootstrap 2, 3, or 4 (or on bootstrap-sass 3.4.x), the two viable paths are upgrading to Bootstrap 5 on a timeline you control, or adopting Never-Ending Support for Bootstrap so the security and compliance clock stops ticking while the migration happens. HeroDevs is the Bootstrap project's named EOL support partner, and patches for the active Bootstrap CVEs are already shipped.

To talk through your specific Bootstrap version and migration timeline, contact HeroDevs.

Table of Contents
Author
Greg Allen
Chief Technology Officer
Open Source Insights Delivered Monthly