This repository is a self-maintained Spring Framework fork published for projects that still need a Spring Framework 5.3.x based build with selected security backports.
It is not an official Spring release. Official Spring Framework artifacts are
published by the Spring team under the org.springframework Maven group.
- GitHub repository: https://github.com/duanluan/spring-framework
- Security branch: https://github.com/duanluan/spring-framework/tree/5.3.42-security
- Base source: https://github.com/spring-projects/spring-framework/tree/v5.3.39
- Base version:
spring-projects/spring-framework:v5.3.39 - Published version:
5.3.42 - Maven group:
io.github.duanluan.springframework - Java package names:
org.springframework.*
The artifacts are published with the fork Maven group:
io.github.duanluan.springframework:spring-framework-bom:5.3.42
io.github.duanluan.springframework:spring-core:5.3.42
io.github.duanluan.springframework:spring-context:5.3.42
io.github.duanluan.springframework:spring-web:5.3.42
io.github.duanluan.springframework:spring-webmvc:5.3.42
io.github.duanluan.springframework:spring-webflux:5.3.42
Example Maven BOM usage:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>io.github.duanluan.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>5.3.42</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>Example Gradle BOM usage:
dependencies {
implementation platform("io.github.duanluan.springframework:spring-framework-bom:5.3.42")
implementation "io.github.duanluan.springframework:spring-webmvc"
}If a project still receives org.springframework:spring-* through transitive
dependencies, add dependency substitution for the Spring modules used by that
project:
configurations.configureEach {
resolutionStrategy.dependencySubstitution {
substitute module("org.springframework:spring-core") using module("io.github.duanluan.springframework:spring-core:5.3.42")
substitute module("org.springframework:spring-context") using module("io.github.duanluan.springframework:spring-context:5.3.42")
substitute module("org.springframework:spring-web") using module("io.github.duanluan.springframework:spring-web:5.3.42")
substitute module("org.springframework:spring-webmvc") using module("io.github.duanluan.springframework:spring-webmvc:5.3.42")
substitute module("org.springframework:spring-webflux") using module("io.github.duanluan.springframework:spring-webflux:5.3.42")
}
}This branch applies selected fixes for the following Spring Framework advisories:
- CVE-2024-38819: Path traversal with static resources in WebMvc.fn and WebFlux.fn
- CVE-2024-38820: DataBinder case-insensitive binding issue caused by locale-specific case conversion
- CVE-2024-38828: DoS risk for Spring MVC controllers with
@RequestBody byte[]
The public Spring Framework OSS repository does not provide an official
v5.3.42 tag. This branch therefore does not claim to be byte-for-byte equal to
the commercial Spring Framework 5.3.42 build. It is based on v5.3.39 and
backports the relevant public fix behavior for the advisories above.
Official advisory:
Public Spring Framework commit used as reference:
Fix idea:
DataBinderlowercases disallowed field names withLocale.ROOT.- Field matching also lowercases candidate fields with
Locale.ROOT. - This avoids locale-specific conversions such as Turkish
i/Ibehavior.
Files changed:
spring-context/src/main/java/org/springframework/validation/DataBinder.javaspring-context/src/test/java/org/springframework/validation/DataBinderTests.java
Regression test:
./gradlew :spring-context:test --tests org.springframework.validation.DataBinderTests.bindingWithDisallowedFieldsUsesLocaleIndependentLowerCaseOfficial advisory:
Public Spring Framework comparison used as reference:
Fix idea:
- Validate the original request path before static resource lookup.
- Validate percent-encoded input paths after decoding and path processing.
- Normalize duplicate slashes, backslashes, leading slashes, and encoded path segments before the final traversal check.
- Reject resolved resource paths that contain encoded traversal segments.
- Keep the resource inside the configured static resource location.
Files changed:
spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.javaspring-webmvc/src/test/java/org/springframework/web/servlet/function/PathResourceLookupFunctionTests.javaspring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.javaspring-webflux/src/test/java/org/springframework/web/reactive/function/server/PathResourceLookupFunctionTests.java
Regression tests:
./gradlew :spring-webmvc:test --tests org.springframework.web.servlet.function.PathResourceLookupFunctionTests.pathTraversalIsRejected
./gradlew :spring-webflux:test --tests org.springframework.web.reactive.function.server.PathResourceLookupFunctionTests.pathTraversalIsRejectedOfficial advisory:
Fix idea:
ByteArrayHttpMessageConverterno longer pre-allocates aByteArrayOutputStreamfrom the requestContent-Lengthheader.- The converter now reads the actual request body with Java 8 compatible stream copying.
- This avoids oversized or malformed
Content-Lengthvalues causing excessive allocation, integer conversion issues, or request handling failures.
Files changed:
spring-web/src/main/java/org/springframework/http/converter/ByteArrayHttpMessageConverter.javaspring-web/src/test/java/org/springframework/http/converter/ByteArrayHttpMessageConverterTests.java
Regression test:
./gradlew -PmainToolchain=8 :spring-web:test --tests org.springframework.http.converter.ByteArrayHttpMessageConverterTests.readWithLargeContentLengthThe branch was verified with targeted regression tests and local publication:
./gradlew -PmainToolchain=8 :spring-web:test --tests org.springframework.http.converter.ByteArrayHttpMessageConverterTests.readWithLargeContentLength
./gradlew :spring-context:test --tests org.springframework.validation.DataBinderTests.bindingWithDisallowedFieldsUsesLocaleIndependentLowerCase
./gradlew :spring-webmvc:test --tests org.springframework.web.servlet.function.PathResourceLookupFunctionTests.pathTraversalIsRejected
./gradlew :spring-webflux:test --tests org.springframework.web.reactive.function.server.PathResourceLookupFunctionTests.pathTraversalIsRejected
./gradlew publishToMavenLocalThe current project integration also verified that these modules resolve to
io.github.duanluan.springframework:5.3.42:
spring-corespring-contextspring-webspring-webmvcspring-webflux
This fork changes Maven coordinates. Some scanners decide findings by Maven coordinates, some by SBOM package URL, some by class names, and some by CPE. If a scanner cannot understand this self-maintained coordinate, attach this README, the commit diff, and the regression test results as evidence.
This branch is focused on CVE-2024-38819, CVE-2024-38820, and CVE-2024-38828. It
does not remove deprecated Spring classes such as HttpInvokerServiceExporter;
scanners that report CVE-2016-1000027 by class presence may still flag
spring-web.
The original Spring Framework license and notice files are retained:
LICENSE.txtNOTICE.txt
Spring Framework is released under the Apache License, Version 2.0.