[SECURITY] Request: Upgrade Spring Framework 6.1.x to 6.2.x (EOL)

## Security Request: Spring Framework 6.2.x Upgrade

**Requested By:** Alliance project (codice/alliance)  
**Issue:** Spring 6.1.x is End-of-Life, security fixes only in 6.2.x  
**Alliance Tracking:** montge/alliance#58

---

## Problem

Spring Framework 6.1.x OSS support has **ended**. Security vulnerabilities in 6.1.x are only fixed in commercial releases (6.1.23+), not open-source versions.

**Current DDF Version:** Spring 6.1.21 (via ddf-parent POM)  
**EOL Status:** 6.1.x no longer receives OSS security patches  
**Recommended:** Upgrade to 6.2.12+ (actively supported OSS)

---

## Security Impact

**CVEs Fixed in 6.2.x (not available in 6.1.x OSS):**
- CVE-2025-41249 (CVSS 8.1): Security annotation bypass
- CVE-2025-41254 (CVSS 7.5): STOMP CSRF vulnerability

**Risk for 6.1.21 Users:**
- Missing security patches for future vulnerabilities
- No OSS updates available (must upgrade to 6.2.x)
- Commercial support only for 6.1.23+

---

## Upgrade Path

**Option A: Spring 6.2.12** (RECOMMENDED)
- Latest 6.2.x stable release
- Active OSS security support
- Moderate API changes from 6.1.x
- Estimated effort: 20-40 hours (DDF + Alliance testing)

**Option B: Spring 6.3.x**
- Cutting edge, may have instability
- Not recommended for production

---

## DDF Impact

**Affected Modules:**
- ddf.platform.util:platform-util
- All modules using Spring (dependency injection, web MVC, etc.)

**Testing Required:**
- DDF platform module tests
- Spring bean wiring validation
- Security configuration verification
- Integration tests for all DDF applications

---

## Alliance Coordination

Alliance is willing to:
1. Test Spring 6.2.12 compatibility with Alliance modules
2. Report any breaking changes found
3. Contribute fixes if needed
4. Coordinate release timing

---

## Request

Could the DDF team:
1. Review Spring 6.1.x EOL status
2. Plan upgrade to 6.2.12+
3. Provide timeline for DDF release with updated Spring
4. Coordinate with downstream applications (Alliance, others)

**Thank you for maintaining DDF!**

---

**References:**
- Spring 6.2 Release Notes: https://github.com/spring-projects/spring-framework/releases
- Alliance Issue: https://github.com/montge/alliance/issues/58
- Phase 3C Tracking: https://github.com/montge/alliance/issues/50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[SECURITY] Request: Upgrade Spring Framework 6.1.x to 6.2.x (EOL) #6935

Security Request: Spring Framework 6.2.x Upgrade

Problem

Security Impact

Upgrade Path

DDF Impact

Alliance Coordination

Request

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[SECURITY] Request: Upgrade Spring Framework 6.1.x to 6.2.x (EOL) #6935

Description

Security Request: Spring Framework 6.2.x Upgrade

Problem

Security Impact

Upgrade Path

DDF Impact

Alliance Coordination

Request

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions