When does Spring Framework reach end-of-life?

The latest supported Spring Framework release is 7.0.8. After end-of-life a release no longer receives security patches.

← All products

Spring Framework ↗

VMware · Web / Runtime

100/100 Healthy

Summary iPlain-English security verdict for Spring Framework, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.

Spring Framework currently scores 100/100 — healthy. 1 actively-exploited vulnerability (CISA KEV) affects older releases (e.g. CVE-2022-22965) — staying on the latest supported version keeps you clear of it. The latest supported release is 7.0.8. It's on the latest patch with no significant known issues — keep it current.

Disclosure trend iNew CVEs published for Spring Framework each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.

'19

'20

'21

'22

'23

'24

'25

'26

Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.

Most urgent first — actively exploited, then likeliest to be exploited.

CVE-2022-22965 CRITICAL ● exploited Code injection EPSS 94% → fixed in 5.3.18 CVE-2018-1271 MEDIUM Path traversal EPSS 91% → fixed in 5.0.5 CVE-2020-5398 HIGH Cross-site scripting (XSS) EPSS 90% → fixed in 5.2.3 CVE-2018-1270 CRITICAL Code injection EPSS 89% → fixed in 5.0.5 CVE-2023-20860 HIGH EPSS 64% → fixed in 6.0.7 CVE-2020-5421 MEDIUM EPSS 64% → fixed in 5.2.9 CVE-2016-1000027 CRITICAL Insecure deserialization EPSS 60% → fixed in 6.0.0 CVE-2024-22259 HIGH CWE-601 EPSS 56% → fixed in 6.1.5 CVE-2013-4152 MEDIUM CWE-264 EPSS 50% → see advisory CVE-2013-6429 MEDIUM Cross-site request forgery (CSRF) EPSS 39% → see advisory CVE-2018-1275 CRITICAL Code injection EPSS 38% → fixed in 5.0.5 CVE-2023-44794 CRITICAL Improper access control EPSS 2% → see advisory

Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.

How long each Spring Framework release line is supported — and when it sunsets.

7.0 latest 7.0.8 Supported until 2027-06-30

6.2 latest 6.2.19 Supported until 2026-06-30

6.1 latest 6.1.21 End of life ended 2025-06-30

6.0 latest 6.0.23 End of life ended 2024-06-30

5.3 latest 5.3.39 End of life ended 2024-08-31

5.2 latest 5.2.25 End of life ended 2021-12-31

5.1 latest 5.1.20 End of life ended 2020-12-31

5.0 latest 5.0.20 End of life ended 2020-12-31

4.3 latest 4.3.30 End of life ended 2020-12-31

3.2 latest 3.2.18 End of life ended 2016-12-31

See all upcoming end-of-life dates →