What You Need to Know: Spring Framework’s End-of-Life Dates

Spring Framework is the foundation of the modern Java enterprise stack. It sits underneath Spring Boot, Spring Security, Spring Batch, and most of the Java backends shipped in the last fifteen years. Because it is a transitive dependency in so many projects, teams routinely run an end-of-life Spring Framework version without realizing it, inheriting the version pinned by their Spring Boot release train.

That matters right now. As of June 2026, Spring Framework 6.1.x and the entire 5.3.x line are past end-of-life, and 6.2.x reaches end-of-life on June 30, 2026. Only 7.0.x will remain on community support after that date. If your build is on anything in the 5.x or 6.x families, you are either already receiving zero security patches from Maven Central or you are weeks away from it.

This page is the definitive reference for every Spring Framework major version, its release date, its support window, the CVEs disclosed against unsupported branches, and your concrete options for staying secure and compliant past EOL.

‍

Spring Framework vs. Spring Boot: Why This Distinction Matters

These are two different products with two different lifecycles, and conflating them is the single most common source of EOL confusion on Java teams.

Spring Framework is the core: dependency injection, the application context, transaction management, Spring MVC and WebFlux, data access, SpEL, and AOP. It is the org.springframework:spring-core artifact family on Maven Central.

Spring Boot is an opinionated layer built on top of Spring Framework. It adds auto-configuration, starter dependencies, embedded servers, and production tooling. It is the org.springframework.boot artifact family.

The practical implication: each Spring Boot release train pins a specific Spring Framework version. Spring Boot 3.5, for example, ships on Spring Framework 6.2. Spring Boot 4.0 ships on Spring Framework 7.0. When you upgrade or stay put on a Boot version, you are also inheriting that Framework version's support window. A team that believes it is "on a supported Spring Boot release" can still be carrying a Spring Framework branch that is closer to EOL, or already past it, depending on patch alignment.

Two consequences follow. First, when a CVE lands in Spring Framework itself (path traversal in the web modules, a DoS in spring-web, an SpEL issue), it affects every Spring Boot app on the corresponding Framework version, regardless of how current your Boot version looks. Second, your EOL exposure is governed by both timelines. This page covers the Framework lifecycle. For the Spring Boot release trains, EOL dates, and latest patch versions, see our companion reference: Spring Boot Versions, EOL Dates, and Latest Releases.

‍

Versions Reaching EOL Next: What to Watch

Spring Framework 6.2 End of Life: June 30, 2026

Spring Framework 6.2 is the only 6.x feature branch still receiving patches, and that ends on June 30, 2026. After that date, the entire Spring Framework 6 generation will be off support, and 7.0 becomes the only generation with free patches on Maven Central.

This is the migration most enterprise teams should be planning right now. Spring Framework 6.2 is the version under Spring Boot 3.5, which is one of the most widely deployed Boot trains in production today. When 6.2 goes EOL, every Spring Boot 3.5 application inherits that exposure unless the team moves to Boot 4.x (on Framework 7) or arranges extended support.

Spring Framework 6.1: Already EOL (Ended June 30, 2025)

Spring Framework 6.1 reached end-of-life on June 30, 2025. The final release was 6.1.21 (June 12, 2025). Any application on a 6.1 patch level is no longer receiving free security updates, and new CVEs disclosed against the branch get no free fix on Maven Central.

One CVE makes this concrete. CVE-2025-41242 (path traversal on non-compliant Servlet containers) was disclosed August 14, 2025, after 6.1 went EOL. The fix landed in the supported 6.2.10 release, but there is no free patch path for 6.1; the only options are to upgrade to 6.2/7.0 or get covered another way. (CVSS scoring varies by source: NVD rates it 5.9 medium, while Snyk scores it 8.2 high; the attack requires a non-compliant Servlet container, which is why estimates differ.)

Spring Framework 5.3: EOL Since August 31, 2024, and Still Everywhere

Spring Framework 5.3 was the final 5.x feature branch and one of the longest-supported branches in Spring's history. Support ended August 31, 2024, with 5.3.39 as the last free release. Despite that, 5.3 remains heavily deployed, for one specific reason: migrating off it requires jumping to Java 17. Spring Framework 5.3 supports Java 8 through 21, but every 6.x and 7.x version requires Java 17 as a hard minimum. Teams still on Java 8 or 11 cannot move to a supported Framework generation without also doing a JDK migration, which is why so many production systems are pinned to an EOL 5.3.

That pinning is now a liability. The CVE-2024-38816 / CVE-2024-38819 path-traversal pair in the functional web frameworks (WebMvc.fn and WebFlux.fn, both CWE-22, CVSS 7.5) were among the last issues to get free fixes before the 5.3 support window closed. Anything disclosed after August 31, 2024 does not get a free 5.3 patch.

Spring Framework 7.0: The Current Generation

Spring Framework 7.0 shipped November 30, 2025 and is the current production line, with support through June 30, 2027. The latest release is 7.0.8 (June 8, 2026). It moves to a Jakarta EE 11 baseline (Servlet 6.1, JPA 3.2), with early support for EE 12, requires Java 17 as a minimum, and supports Java up to 25. The next feature branch, 7.1.x, is expected November 2026. For new projects and for teams able to move off the 6.x generation, 7.0 is the recommended target.

‍

Notable CVEs Across Recent Spring Framework Versions

These vulnerabilities affect core Spring Framework (not Spring Boot auto-config, and not Spring Security as a separate product). Each links to the HeroDevs vulnerability directory entry with affected ranges and remediation detail.

The pattern worth internalizing: many of these issues span every maintained generation at disclosure time, but the free fix only ships to the supported branches. For 5.3 and 6.1, a new CVE means no patch on Maven Central at all.

‍

What Happens After Spring Framework End of Life

When a Spring Framework branch reaches end-of-life, three things change, and none of them are theoretical for a framework this deeply embedded in the Java ecosystem.

1. Security patches stop reaching Maven Central. New CVEs against the branch go unpatched in the free line. Your build, which pulls from the public repository, gets nothing. The attack surface grows with every disclosure, and most scanners flag only known CVEs, not the silent accumulation of unpatched ones.
2. Transitive exposure compounds. Because Spring Framework underpins Spring Security, Spring Batch, Spring Integration, and your Spring Boot starters, an EOL Framework version drags its whole dependency neighborhood with it. You cannot bump one starter to dodge a spring-web CVE; the fix has to come from the Framework branch itself.
3. Compliance audits flag it. SOC 2, PCI DSS, HIPAA, FedRAMP, and the EU Cyber Resilience Act all require maintained, patched software. An EOL Spring Framework version on a spring-core SBOM line is an audit finding, and scanners like Qualys and the OWASP Dependency-Check tooling will surface it as EOL/obsolete software regardless of whether a specific CVE is currently public.

The migration is rarely a one-version hop. Moving from 5.3 to 6.x crosses the javax to jakarta namespace boundary and the Java 8/11 to Java 17 boundary, which together touch nearly every dependency in a real application. That is precisely why teams stall on EOL versions, and why "just upgrade" is more expensive advice than it sounds.

‍

Options for EOL Spring Framework Versions

There are three honest paths once your Framework branch is past support. Each is correct in the right situation.

1. Upgrade to a supported generation. Long term, this is the right destination for most teams. Target Spring Framework 7.0 (via Spring Boot 4.x) if you can move to Java 17+. The cost is real: the javax to jakarta migration, JDK upgrade, and dependency cascade make this a project, not a patch. Budget time for testing, especially around the web layer and any reflection-heavy or javax-dependent libraries.

2. Migrate off Spring entirely. A minority of teams use an EOL event to justify a platform shift (to Quarkus, Micronaut, or a non-JVM stack). This is the most expensive and highest-risk option and is rarely justified by the EOL alone, but it occasionally aligns with a broader re-architecture already in flight.

3. Adopt extended support to stay secure without an emergency migration. HeroDevs Never-Ending Support (NES) for Spring provides a secure, drop-in replacement for EOL Spring Framework branches, delivered through a private registry, with no code changes required. NES covers Spring Framework 4.3, 5.3, 6.1, and 6.2 (alongside the corresponding Spring Boot trains: 1.5, 2.5, 2.7, 3.2, 3.3, 3.4, and 3.5). The model is straightforward: HeroDevs picks up patching the day open-source support ends, with no gap, backed by compliance SLAs so you stay audit-ready. This is the right choice when you need continued security and compliance on your own migration timeline, rather than a forced upgrade driven by a CVE or an audit deadline.

These options are not mutually exclusive. The common pattern is to put EOL services under NES to stop the bleeding and clear the audit, then migrate to a supported generation deliberately, on a schedule the team controls instead of one a scanner dictates.

‍

Quick Reference: Is My Spring Framework Version Supported?

‍

Frequently Asked Questions

What is the latest version of Spring Framework?

As of June 2026, the latest Spring Framework release is 7.0.8, shipped June 8, 2026. Spring Framework 7.0 is the current production generation, with support through June 30, 2027.

When does Spring Framework 6 reach end of life?

The Spring Framework 6 generation is mostly already EOL. Spring Framework 6.0 ended support June 30, 2024, and 6.1 ended June 30, 2025. The final 6.x branch, 6.2, reaches end-of-life on June 30, 2026. After that date, no 6.x version receives free patches on Maven Central.

Is Spring Framework 5 still supported?

No. The entire Spring Framework 5.x line is past end-of-life. The final branch, 5.3, ended support on August 31, 2024. Spring 5.3 remains widely deployed because moving to 6.x requires Java 17, but it no longer receives free security patches. HeroDevs NES covers 5.3 as a drop-in replacement.

Does Spring Framework have LTS releases?

Not in the open-source sense. Spring does not officially apply the "LTS" label to its free support windows. Each major generation receives a multi-year support window on Maven Central, after which the branch stops receiving free patches. To keep an EOL branch patched without migrating, teams turn to extended support such as HeroDevs NES.

My Spring Boot version is supported. Does that mean my Spring Framework is supported?

Not necessarily. Spring Boot and Spring Framework have separate lifecycles, and each Boot release train pins a specific Framework version. A supported Boot version generally pins a supported Framework version, but the two EOL dates differ, and CVEs in core Spring Framework affect your app regardless of how current your Boot version looks. Check both. See our Spring Boot EOL reference for the Boot side of the timeline.

‍

What to Do Now

Spring Framework EOL usually arrives quietly: free patches stop reaching Maven Central while your application keeps running and your scanner keeps showing green until the next CVE drops. With 6.2 going EOL on June 30, 2026, and 5.3 and 6.1 already past it, most enterprise Java teams are carrying at least one unsupported Spring branch right now, often inherited transitively through Spring Boot.

Audit your spring-core version against the timeline above. If you are on 5.3, 6.0, or 6.1, you are past support today. If you are on 6.2, you have weeks. Then choose deliberately: upgrade to 7.0 on a schedule you control, or put the EOL branch under extended support so a CVE disclosure or an audit finding does not force an emergency migration.

If your organization is running an end-of-life version of Spring Framework, see HeroDevs Never-Ending Support for Spring for drop-in patched releases, or contact HeroDevs to talk through your options.