ddf icon indicating copy to clipboard operation
ddf copied to clipboard
verified publisher icon codice

[SECURITY] Request: Upgrade Spring Framework 6.1.x to 6.2.x (EOL)

Open montge opened this issue 3 months ago • 0 comments

Security Request: Spring Framework 6.2.x Upgrade

Requested By: Alliance project (codice/alliance)
Issue: Spring 6.1.x is End-of-Life, security fixes only in 6.2.x
Alliance Tracking: montge/alliance#58

Problem

Spring Framework 6.1.x OSS support has ended. Security vulnerabilities in 6.1.x are only fixed in commercial releases (6.1.23+), not open-source versions.

Current DDF Version: Spring 6.1.21 (via ddf-parent POM)
EOL Status: 6.1.x no longer receives OSS security patches
Recommended: Upgrade to 6.2.12+ (actively supported OSS)

Security Impact

CVEs Fixed in 6.2.x (not available in 6.1.x OSS):

  • CVE-2025-41249 (CVSS 8.1): Security annotation bypass
  • CVE-2025-41254 (CVSS 7.5): STOMP CSRF vulnerability

Risk for 6.1.21 Users:

  • Missing security patches for future vulnerabilities
  • No OSS updates available (must upgrade to 6.2.x)
  • Commercial support only for 6.1.23+

Upgrade Path

Option A: Spring 6.2.12 (RECOMMENDED)

  • Latest 6.2.x stable release
  • Active OSS security support
  • Moderate API changes from 6.1.x
  • Estimated effort: 20-40 hours (DDF + Alliance testing)

Option B: Spring 6.3.x

  • Cutting edge, may have instability
  • Not recommended for production

DDF Impact

Affected Modules:

  • ddf.platform.util:platform-util
  • All modules using Spring (dependency injection, web MVC, etc.)

Testing Required:

  • DDF platform module tests
  • Spring bean wiring validation
  • Security configuration verification
  • Integration tests for all DDF applications

Alliance Coordination

Alliance is willing to:

  1. Test Spring 6.2.12 compatibility with Alliance modules
  2. Report any breaking changes found
  3. Contribute fixes if needed
  4. Coordinate release timing

Request

Could the DDF team:

  1. Review Spring 6.1.x EOL status
  2. Plan upgrade to 6.2.12+
  3. Provide timeline for DDF release with updated Spring
  4. Coordinate with downstream applications (Alliance, others)

Thank you for maintaining DDF!

References:

  • Spring 6.2 Release Notes: https://github.com/spring-projects/spring-framework/releases
  • Alliance Issue: https://github.com/montge/alliance/issues/58
  • Phase 3C Tracking: https://github.com/montge/alliance/issues/50

montge avatar Nov 15 '25 17:11 montge