Is org.springframework:spring-core safe to use?

org.springframework:spring-core has 18 known vulnerabilities on the latest version (7.0.0-M6). DepScope rates its health at 35/100 (critical risk).

What is the latest version of org.springframework:spring-core?

The latest version of org.springframework:spring-core is 7.0.0-M6, released 2025-06-12.

Does org.springframework:spring-core have known vulnerabilities?

Yes. org.springframework:spring-core has 18 known vulnerabilities. See depscope.dev/pkg/maven/org.springframework:spring-core for details.

Is org.springframework:spring-core deprecated?

No, org.springframework:spring-core is actively maintained. Latest release: 7.0.0-M6 (2025-06-12).

What are alternatives to org.springframework:spring-core?

DepScope has no curated alternatives for org.springframework:spring-core at this time.

What license does org.springframework:spring-core use?

org.springframework:spring-core is licensed under Apache-2.0.

org.springframework:spring-core

mavenv7.0.0-M6

Spring Core

License Apache-2.0permissive311 versions0 deps

spring-projects/spring-framework

/ 100

Health

update required

org.springframework:[email protected] has vulnerabilities — update to latest

Update to >= 2.5.7.SR023 to fix known vulnerabilities

Low health score (35/100)
8 high severity vulnerabilities

Health breakdown0 – 100

10/25

maintenance

0/20

popularity

0/25

security

15/15

maturity

10/15

community

Vulnerabilities

8 high10 medium

Advisories (18)

Severity	ID	Summary	Fixed in
high	CVE-2018-1272	Possible privilege escalation in org.springframework:spring-core	5.0.5
medium	CVE-2015-0201	Moderate severity vulnerability that affects org.springframework:spring-core	4.1.5
medium	CVE-2021-22060	Log entry injection in Spring Framework	5.2.19
high	CVE-2016-5007	Spring Security and Spring Framework may not recognize certain paths that should be protected	4.1.1
high	CVE-2018-1258	Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass	5.0.6.RELEASE
medium	CVE-2018-11040	Moderate severity vulnerability that affects org.springframework:spring-core	4.3.18.RELEASE
medium	CVE-2011-2894	Spring Framework and Spring Security vulnerable to Deserialization of Untrusted Data	2.0.7
high	CVE-2018-15756	Denial of Service in Spring Framework	4.3.20.RELEASE
medium	CVE-2018-1271	Path Traversal in org.springframework:spring-core	4.3.15
high	CVE-2025-41249	Spring Framework annotation detection mechanism may result in improper authorization	6.2.11
high	CVE-2015-5211	Files or Directories Accessible to External Parties in org.springframework:spring-core	3.2.15
high	CVE-2024-22233	Spring Framework server Web DoS Vulnerability	6.0.16
medium	CVE-2018-1257	Denial of Service in org.springframework:spring-core	4.3.17
medium	CVE-2021-22096	Improper Output Neutralization for Logs in Spring Framework	5.3.11
medium	CVE-2014-3578	Improper Limitation of a Pathname to a Restricted Directory in Spring Framework	4.0.5
medium	CVE-2018-1199	Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core	4.1.5
medium	CVE-2009-1190	Spring Framework Inefficient Regular Expression Complexity	3.0.0.RELEASE
high	CVE-2011-2730	Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework	2.5.7.SR023

Threat intelligence

1 likely exploited (EPSS ≥ 0.5)

Threat tier per vulnerability derived from CISA KEV catalog + FIRST.org EPSS scores.

OSS Scorecard

OpenSSF security posture score

5.7/10

moderate

Maintainer trust

Active maintainers (3m)

16

Contributors (12m)

16

Primary author dominance

60%

GitHub stars

59,858

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/maven/org.springframework:spring-core

Last updated · 2025-06-12T10:14:17+00:00