NES for Spring
Legacy Spring versions still function after support ends — but that's not good enough for internal SLAs, CVE disclosures, and security audits.
Never-Ending Support (NES) for Spring keeps you compliant, secure, and audit-ready without an unplanned migration or risky patchwork.
Patch CVEs, Meet Internal SLAs, Pass Audits — in Minutes.
Spring Boot Support Timeline
Explore the full lifecycle of major Spring Boot releases, including when OSS support ends, paid enterprise support begins, and HeroDevs steps in to extend it indefinitely.
OSS Support
Free OSS Support
Broadcom Support
Tanzu Spring Paid Support
HeroDevs Support
HeroDevs Never-Ending Support
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
& Beyond
Boot 3.5.x
Boot 3.4.x
Boot 3.3.x
Boot 3.2.x
Boot 2.7.x
Boot 1.5.x
June 10, 2025
HeroDevs Supported Versions
HeroDevs provides full-stack coverage across the Spring ecosystem—including Framework, Security, Data, Cloud, Web, and more—based on your selected Boot version. Choose a release below to see exactly what’s included in NES support.
Select version to view details below
What is included in NES for Spring Boot 1.5?
HeroDevs has support for the entire Spring Portfolio based on the versions that are managed by Boot 1.5. This includes:
Boot 1.5: EOL since August 2019
Framework 4.3: EOL since December 2020
Boot 1.5: EOL since August 2019
Framework 4.3: EOL since December 2020
Spring Security 4.2
Spring Retry 1.2
Spring Boot 1.5
Spring Framework 4.3
Spring Security JWT 1.1
Spring Social 1.1
Spring Social Twitter 1.1
Spring WS 2.4
Spring Session 1.3
+ more
What is included in NES for Spring Boot 2.7?
HeroDevs has support for the entire Spring Portfolio based on the versions that are managed by Boot 2.7. This includes:
Boot 2.7: EOL since June 2023
Framework 5.3: EOL since June 2023
Boot 2.7: EOL since June 2023
Framework 5.3: EOL since June 2023
Spring Boot 2.7
Spring Framework 5.3
Spring Security 5.7
Spring Security 5.8
Spring LDAP 2.4
Spring Data 2021.2
Spring Cloud 2021 (Jubilee)
Spring Integration 5.5
Spring for Apache Kafka 2.8
Spring Session 2.7
Spring Batch 4.3
Spring Web Flow 2.5
Spring WS 3.1
+ more
In addition to Spring libraries, support is also offered for managed dependencies including popular projects:
Apache Kafka
%201.svg)
Apache Log4j2
Apache Solr
Eclipse Jetty
Hibernate Validator
Jackson Databind
Logback
Netty
SnakeYAML
Undertow
+ more
In transitive dependency versions, the last Open Source release of Spring Boot 2.7 has 143 CVEs across 79 projects. Take that number to ZERO vulnerabilities in OSS software with HeroDevs.
Talk to Our Experts
What is included in NES for Spring Boot 3.2?
HeroDevs has support for the entire Spring Portfolio based on the versions that are managed by Boot 3.2. This includes:
Boot 3.2: EOL since Dec 2024
Framework 6.1: EOL June 2025
Boot 3.2: EOL since Dec 2024
Framework 6.1: EOL June 2025
Spring Boot 3.2
Spring Framework 6.1
Spring Security 6.2
Spring Data 2023.1
Spring Cloud 2023 (Leyton)
Spring Integration 6.2
Spring for Apache Kafka 3.1
Spring Batch 5.1
Spring WS 4.0
Spring LDAP 3.2
Spring Session 3.2
+ more
What is included in NES for Spring Boot 3.3?
HeroDevs has support for the entire Spring Portfolio based on the versions that are managed by Boot 3.3. This includes:
Boot 3.3: EOL since June 2025
Framework 6.1: EOL since June 2025
Boot 3.3: EOL since June 2025
Framework 6.1: EOL since June 2025
Spring Boot 3.3
Spring Framework 6.1
Spring Security 6.3
Spring Data 2024.0
Spring Cloud 2023 (Leyton)
Spring Integration 6.3
Spring for Apache Kafka 3.2
Spring Batch 5.1
Spring WS 4.0
Spring LDAP 3.2
Spring Session 3.3
+ more
What is included in NES for Spring Boot 3.4?
HeroDevs has support for the entire Spring Portfolio based on the versions that are managed by Boot 3.4. This includes:
Boot 3.4: EOL Dec 2025
Framework 6.2: EOL planned June 2026
Boot 3.4: EOL Dec 2025
Framework 6.2: EOL planned June 2026
Spring Boot 3.4
Spring Framework 6.2
Spring Security 6.4
Spring Data 2024.1
Spring Cloud 2024 (Moorgate)
Spring Integration 6.4
Spring for Apache Kafka 3.3
Spring Batch 5.2
Spring WS 4.0
Spring LDAP 3.4
Spring Session 3.4
+ more
What is included in NES for Spring Boot 3.5?
HeroDevs has support for the entire Spring Portfolio based on the versions that are managed by Boot 3.5. This includes:
Boot 3.5: EOL planned June 2026
Framework 6.2: EOL planned June 2026
Boot 3.5: EOL planned June 2026
Framework 6.2: EOL planned June 2026
Spring Boot 3.5
Spring Framework 6.2
Spring Security 6.5
Spring AI 1.0, 1.1
Spring Integration 6.5
Spring for Apache Kafka 3.3
Spring Batch 5.2
Spring WS 4.1
Spring LDAP 3.3
Spring Session 3.5
+ more
Vulnerability Remediation
0 EOL Security Issues Patched in NES for Spring
(and always looking for more)
If you're running legacy/unsupported versions of Spring, you're exposed. These aren't theoretical risks. They are real vulnerabilites that could get exploited tomorrow.
Never-Ending Support (NES) for Spring gives you a secure drop-in replacement without migrating a single line of code.
No scrambling. No rewrites. Just security updates delivered by a team that treats end-of-life like a starting line.
Never-Ending Support (NES) for Spring gives you a secure drop-in replacement without migrating a single line of code.
No scrambling. No rewrites. Just security updates delivered by a team that treats end-of-life like a starting line.
Severity
ID
Technology
Libraries Affected
Category
Version(s) Affected
Published Date
High
Spring
Spring Data Geode
Path Traversal
>= 2.0.0 <= 2.7.18, >= 1.7.0 <= 2.2.13
Feb 20, 2026
Medium
Spring
Spring Data Geode
Creation of Temporary File in Directory with Insecure Permissions
>= 2.0.0 < 2.7.18, >= 1.7.0 <= 2.2.13
Feb 19, 2026
Medium
Spring
Apache Kafka
Inconsistent Interpretation of HTTP Requests
>=2.3.0 <=3.5.2 >=3.6.0 <=3.6.2 =3.7.0
Dec 16, 2025
Medium
Spring
Apache Kafka
Incorrectly Configured Access Control
>=0.10.2.0 <3.7.2 =3.8.0
Dec 16, 2025
High
Spring
Spring Cloud Gateway
Information Exposure
>=3.1.0 <=3.1.11, >=4.0.0, >=4.1.0 <=4.1.11, >=4.2.0 <=4.2.5, >=4.3.0 <=4.3.1
Oct 21, 2025
Medium
Spring
Spring Framework
Cross-site Request Forgery
>=6.2.0 < 6.2.12, >=6.1.0 < 6.1.24, >=6.0.0 <=6.0.29, >=5.3.0 < 5.3.46, <5.3.0, >4.3.0 <= 4.3.30
Oct 21, 2025
Medium
Spring
Spring Framework
Privilege Abuse
>=5.3.0 <=5.3.44, >=6.0.0 <=6.0.29, >=6.1.0 <6.1.23, >=6.2.0 <6.2.11
Sep 22, 2025
Critical
Spring
Spring Cloud Gateway
Incorrectly Configured Access Control
>=3.1.0 <=3.1.9, >=4.0.0 <=4.0.9, >=4.1.0 <=4.1.9, >=4.2.0 <4.2.5, >=4.3.0 <4.3.1
Sep 10, 2025
Medium
Spring
Spring Framework
Path Traversal
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.43, >=6.0.0 <=6.0.29, >=6.1.0 <=6.1.21, >=6.2.0 <=6.2.9
Aug 18, 2025
High
Spring
Spring Cloud Gateway
HTTP Request Smuggling
<=3.1.10, >= 4.0.0 <= 4.0.10, >=4.1.0 <4.1.8, >=4.2.0 <4.2.3, >4.3.0-{M1, M2, RC1} < 4.3.0
Jun 2, 2025
Low
Spring
Spring Framework
Authorization Bypass
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.42, >=6.0.0 <=6.0.27, >=6.1.0 <6.1.20, >=6.2.0 <6.2.7
May 15, 2025
High
Spring
Spring Security
Authorization Bypass
>=5.7.0 <5.7.12, >=5.8.0 <5.8.11, >=6.0.0 <6.0.10, >=6.1.0 <6.1.8, >=6.2.0 <6.2.3
May 8, 2025
Medium
Spring
Spring Boot
Incorrectly Configured Access Control
<2.7.0, >=2.7.0 <2.7.25, >=3.1.0 <3.1.16, >=3.2.0 <3.2.14, >=3.3.0 <3.3.11, >=3.4.0 <3.4.5
Apr 25, 2025
Medium
Spring
Spring Security
Information Exposure
=5.7.16, =5.8.18, =6.0.16, =6.1.14, =6.2.10, =6.3.8, =6.4.4
Apr 22, 2025
Medium
Spring
Spring Cloud Config
Authorization Bypass
>=2.2.0 <=2.2.8, >=3.0.0 <=3.0.7, >=3.1.0 <3.1.10, >=4.0.0 <=4.0.5, >=4.1.0 <4.1.6, >=4.2.0 <4.2.1
Apr 10, 2025
High
Spring
Spring Security
Authorization Bypass
<=5.6.12, >=5.7.0 <5.7.16, >=5.8.0 <5.8.18, >=6.0.0 <=6.0.16, >=6.1.0 <6.1.14, >=6.2.0 <6.2.10, >=6.3.0 <6.3.8, >=6.4.0 <6.4.4
Mar 20, 2025
Medium
Spring
Spring for Apache Kafka
Remote Code Execution
<2.9.11, >=3.0.0 <3.0.10
Mar 3, 2025
Low
Spring
Spring LDAP
Authorization Bypass
<=2.4.3, >=3.0.0 <=3.0.9, >=3.1.0 <=3.1.7, >=3.2.0 <3.2.7
Nov 20, 2024
Medium
Spring
Spring Security
Authorization Bypass
<=5.7.13, >=5.8.0 <=5.8.15, >=6.0.0 <=6.0.13, >=6.1.0 <=6.1.11, >=6.2.0 <=6.2.7, >=6.3.0 <=6.3.4
Nov 19, 2024
High
Spring
Spring Framework
Path Traversal
<5.3.41, >=6.0.0 <6.0.25, >=6.1.0 <6.1.14
Oct 30, 2024
Critical
Spring
Spring Security
Authorization Bypass
>=5.7.0 <5.7.13, >=5.8.0 <5.8.15, >=6.0.0 <6.0.13, >=6.1.0 <6.1.11, >=6.2.0 <6.2.7, >=6.3.0 <6.3.4
Oct 25, 2024
Low
Spring
Spring Framework
Authorization Bypass
<5.3.41, >=6.0.0 <6.0.25, >=6.1.0 <6.1.14
Oct 23, 2024
High
Spring
Spring Framework
Path Traversal
>=5.3.0 <=5.3.39, >=6.0.0 <=6.0.23, >=6.1.0 <=6.1.12
Sep 12, 2024
Medium
Spring
Spring Framework
Denial of Service
>=4.3.0 <=4.3.30, >=5.3.0 <5.3.38, >=6.0.0 <6.0.23, >=6.1.0 <6.1.12
Aug 27, 2024
Medium
Spring
Spring Boot
Signature Forgery
>=2.7.0 <=2.7.21, >=3.0.0 <=3.0.16, >=3.1.0 <=3.1.12, >=3.2.0 <=3.2.8, >=3.3.0 <=3.3.2
Aug 23, 2024
High
Spring
Spring Framework
URL Redirect/Open Redirect
>=4.3.0, >=5.3.0 <5.3.34, >=6.0.0 <6.0.19, >=6.1.0 <6.1.6
Apr 16, 2024
High
Spring
Spring Framework
URL Redirect/Open Redirect
<=4.3.31, >=5.3.0 <5.3.33, >=6.0.0 <6.0.17, >=6.1.0 <6.1.5
Mar 16, 2024
High
Spring
Spring Framework
URL Redirect/Open Redirect
>=4.3.0 <=4.3.30, >=5.3.0 <5.3.32, >=6.0.0 <6.0.17, >=6.1.0 <6.1.4
Feb 23, 2024
High
Spring
Spring Boot
Denial of Service
>=1.5.0 <=1.5.22, >=2.5.0 <2.5.15, >=2.6.0 <2.6.15, >=2.7.0 <2.7.12 >=3.0.0 <3.0.7
May 19, 2023
High
Spring
Spring Security
Improper Session Handling
>=5.7.0 <5.7.8, >=5.8.0 <5.8.3, >=6.0.0 <6.0.3
Apr 19, 2023
Medium
Spring
Spring Framework
Denial of Service
<5.2.24, >=5.3.0 <5.3.27, >=6.0.0 <6.0.8
Apr 13, 2023
Medium
Spring
Spring Framework
Denial of Service
<5.2.23, >=5.3.0 <5.3.26, >=6.0.0 <6.0.7
Mar 23, 2023
High
Spring
Spring Security
Authorization Bypass
>=5.6.0 <5.6.9, >=5.7.0 <5.7.5
Oct 31, 2022
High
Spring
Spring Security
Authorization Bypass
<5.4.11, >=5.5.0 <5.5.7, >=5.6.x <5.6.4
May 16, 2022
Critical
Spring
Spring Framework
Remote Code Execution
<5.2.20, >=5.3.0 <5.3.18
Apr 1, 2022
Low
Spring
Spring Security
Denial of Service
<5.2.9.RELEASE, >=5.3.0 <5.3.9.RELEASE, >=5.4.0 <5.4.4
Feb 19, 2021
Medium
Spring
Spring Security
Information Exposure
<4.2.16, >=5.0.0 <5.0.16, >=5.1.0 <5.1.10, >=5.2.0 <5.2.4, >=5.3.0 <5.3.2
May 7, 2020
Low
Spring
Spring Security
Information Exposure
<4.2.12, >=5.0.0 <5.0.12, >=5.1.0 <5.1.5
Apr 19, 2019
High
Spring
Spring Security
Authorization Bypass
>=3.1.0 <3.1.6, >=3.2.0 <3.2.2
Mar 11, 2014
Medium
Spring
Spring Security
Authorization Bypass
<2.0.9, >=3.0.0, <3.0.9, >=3.1.0, <3.1.4
Dec 12, 2012
For more details on CVEs found in end-of-life software, visit our vulnerability directory.
Testimonials
Loved by Our Customers
“From the very first point of contact, working with HeroDevs has been an exceptional experience… The option to install EOL Support, rather than undertaking a full internal migration, has saved us significant time, money, and frustration.”
UI/UX Engineering Manager
Extended Version Support
Cost Flexibility
Broad Ecosystem Support
Certified CVE Naming Authority (CNA)
Open Source Pledge
Direct Access to Spring Experts
Built for Flexibility, Not Forced Upgrades
Secure, Tailored Support for Spring Boot 1.5 and Beyond
Secure, Tailored Support for Spring Boot 1.5 and Beyond
At HeroDevs, we meet you where your code is. Our Never-Ending Support for Spring delivers production-ready security patches, compliance coverage, and ongoing maintenance for older versions — no migration needed.
You're not just getting another vendor. You're getting a team of Spring experts who understands the framework inside out and ships fixes fast.
Join the growing number of teams staying secure without refactoring or blowing up timelines.
You're not just getting another vendor. You're getting a team of Spring experts who understands the framework inside out and ships fixes fast.
Join the growing number of teams staying secure without refactoring or blowing up timelines.
Don't Compromise, Talk with HeroDevs Today
NES for Spring
is a secure drop-in replacement for
Spring
and is easy to set up.
Step 1
Update your Maven/Gradle file
Step 2
Set up token
Step 3
Build & Run
Related Products
If you're leveraging this technology, chances are you're also using complementary systems that face similar end-of-life (EOL) challenges.
Explore our related NES products that offer proactive, comprehensive support for your entire tech stack to ensure continuity, security, and innovation across all your essential technologies.
Explore our related NES products that offer proactive, comprehensive support for your entire tech stack to ensure continuity, security, and innovation across all your essential technologies.
.svg)
The Growing Security Gap
When Spring Boot 2.7.18 reached end-of-support in November 2023, security patches for managed dependencies stopped, creating a widening vulnerability gap for organizations still using this version. We maintain stability with the Spring ecosystem by following the same proven dependency management practices used by Broadcom's Spring team during official support. This means comprehensive testing and validation across the entire dependency tree.
What is Never-Ending Support?
Security Fixes
A new version of NES for Spring will be released each time we find, validate, and fix a security issue.
Drop-In Compatibility
A direct replacement for your framework—no migrations, no rewrites, just ongoing support.
SLA Compliance
HeroDevs provides SLAs that ensure compliance by providing incident response and remediation in accordance with industry-standard regulations, including SOC 2, FedRAMP, PCI, and HIPAA.
Learn more.
Team of Experts
NES for Spring is built with advisement and consultation of contributors to Spring.
Easy to Install
Our simple drop-in replacement means all you have to do is change a few files and configurations and then rebuild your project. No code changes or find & replace required.
Intellectual Property Protection
NES for Spring is not only secure; HeroDevs also offers enterprise-level protection for all products.
Learn more.The Problem We Solve
84%
of all codebases with open source components contained vulnerabilities.
Does your website contain vulnerabilities?
Chances are, if you are behind in adopting actively supported versions of the open-source software you are using, you are exposed.
Websites using unsupported software are at risk. (2024 Open Source Security and Risk Analysis Report)
Websites using unsupported software are at risk. (2024 Open Source Security and Risk Analysis Report)
HeroDevs provides Never-Ending Support for Spring, so you can keep using it and stay secure and supported.
Why HeroDevs?
Built By Spring Experts
Our team of Spring experts ensures our Never-Ending Support for Spring products are the same quality you have come to expect when using Spring open source projects.
We specifically design our NES for Spring products to work seamlessly and ensure they are as dependable as the original Spring projects you built your applications on.
We Give Back To Open Source
HeroDevs is deeply committed to the open-source community. We support it through sponsorships, backing core contributors, and funding events that drive the ecosystem forward. Our engagement extends beyond financial contributions, embodying a commitment to the ongoing growth and innovation of open-source software. This holistic support ensures the vitality of the open-source movement, fostering an environment of collaboration and advancement.
We Partner With These Organizations
Support
Frequently Asked Questions
Below are common questions our customers have. Of course, we’re happy to meet with you and answer these and other questions you might have.
Does HeroDevs have an SLA for NES for Spring?
Does NES for Spring help with compliance?
Why do I need NES for Spring?
How does licensing work?
I got an error like "EOL/Obsolete Software: Spring Boot 2.7 Detected." What can I do?
HeroDevs Blog
Latest News
.png)
.png)
.png)
Contact Us
Got questions about Never-Ending Support for your open-source library? We're here to help!
%201.svg){kind=small}
Discover how HeroDevs NES Products can keep your systems secure and compliant.
Learn how our solutions can deliver value to your organization.
Get detailed pricing information tailored to your needs.
Trusted by industry leaders such as
Talk to an Expert