Framework Continuation
Spring Framework 5 reached EOL.
Your app didn't.
OSSeva maintains CVE coverage for Spring Framework 5.2.x and 5.3.x, Spring Boot 2.6.x and 2.7.x, and Spring Security 5.x — the versions running in production at most Fortune 500 enterprises. No forced Spring 6 upgrade. No Java 17 requirement. Your timeline.
Get my Spring coverage planWhy Spring EOL matters now
Spring Boot 2.x EOL was November 2023
Broadcom commercialized the Spring ecosystem and ended community support earlier than the enterprise market expected. Millions of production workloads still run Spring Boot 2.x with no upstream patch path.
Spring 6 migration requires Java 17 minimum
Spring Framework 6 and Spring Boot 3 require Java 17 as the minimum JDK. For many enterprises, upgrading the JDK and all its implications (GC, JVM flags, library compatibility) is a bigger project than the Spring migration itself.
CVE-2026-38912 — SpEL injection in Spring 5.3.x
A critical SpEL injection vulnerability was disclosed in May 2026 affecting Spring Framework 5.3.x. Upstream will not backport the fix. OSSeva shipped a patched build within 48 hours of disclosure.
Coverage matrix
| Product | Version | Community EOL | OSSeva Coverage |
|---|---|---|---|
| Spring Framework | 5.2.x | Dec 2022 | Full CVE + Compliance |
| Spring Framework | 5.3.x | Dec 2024 | Full CVE + Compliance |
| Spring Framework | 6.x | Current | Supported |
| Spring Boot | 2.6.x | Nov 2023 | Full CVE + Compliance |
| Spring Boot | 2.7.x | Nov 2023 | Full CVE + Compliance |
| Spring Boot | 3.x | Current | Supported |
| Spring Security | 5.x | Dec 2023 | Full CVE + Compliance |
Migration planning included in Architect tier
When you're ready to upgrade, OSSeva's Architect tier includes Spring 5 → Spring 6 migration planning: dependency analysis, Java version upgrade sequencing, Spring Security reconfiguration, and a phased rollout plan. Continuation and migration under one contract.
Frequently asked questions
Is Spring Framework 5.3.x still supported?
Spring Framework 5.3.x reached its community OSS end-of-life on December 31, 2024. Broadcom's commercial extended support option is also no longer available under standard terms. OSSeva delivers backported CVE patches for Spring Framework 5.3.x and Spring Boot 2.7.x, providing a security backstop while teams plan a migration to Spring 6.x.
What CVEs affect Spring Framework 5.3.x after EOL?
Notable post-EOL CVEs in Spring Framework 5.3.x include CVE-2026-0447 (SpEL injection via @Value placeholders, CVSS 9.8) and CVE-2025-8771 (Authorization bypass in Spring Security 5.8.x, CVSS 8.6). These were disclosed after community EOL and have no official upstream patch for the 5.3.x line — OSSeva backports these fixes specifically for Spring 5.3.x deployments.
What is the Jakarta EE namespace migration and why is it required for Spring 6?
Spring Framework 6 requires Java 17 and adopts the Jakarta EE 9+ namespace, which means all references to javax.* packages (javax.servlet, javax.persistence, etc.) must be changed to jakarta.*. This is a breaking change that affects every Spring Boot 2.x application at the dependency level. OSSeva's Spring migration toolkit includes automated codemod tooling to perform this namespace migration and handles common edge cases in enterprise codebases.
How long can OSSeva maintain Spring Framework 5.3.x security patches?
OSSeva's Spring Framework 5.3.x coverage is available as long as customers require it. Unlike community support, which ends on a fixed date, OSSeva engagements are renewed annually. Most Spring 5.3.x customers plan a 12–24 month transition window to Spring 6, with OSSeva coverage bridging the gap. We work with customers to scope and support the migration as part of the engagement.
Stay patched until you're ready to upgrade.
OSSeva covers Spring 5.x on your timeline — not Broadcom's.