The Hidden Risk in Spring Boot 2.7: Managed Dependencies Still Matter

What Happens When OSS Support Ends?

Spring Boot simplifies Java development by managing versions of hundreds of third-party libraries. Instead of picking every dependency version yourself, you rely on Spring Boot’s curated list — a powerful feature that improves developer productivity and reduces compatibility issues. You can see this curated list in the Managed Dependency Coordinates section of the Spring Boot documentation.

But there’s a catch. When the final open source release of Spring Boot 2.7 (version 2.7.18) was published on November 23, 2023, that curated list was effectively frozen in time. With no further OSS Spring Boot releases, the managed dependency list isn’t updated — even though many of those libraries continue to release important updates, including fixes for known CVEs.

If you’re still running OSS Spring Boot 2.7 in production, there’s a good chance you’re using outdated — and potentially vulnerable — versions of managed dependencies. Not because those libraries are unmaintained, but because Spring Boot 2.7 stopped updating the versions it manages. Even though libraries continue to publish security patches, Spring Boot 2.7 no longer picks them up automatically — its dependency version list is static.

‍

The Silent Risk: Transitive Dependencies with CVEs

While the core Spring libraries often receive the most attention, many real-world security risks live in transitive dependencies — things like Tomcat, Undertow, Elasticsearch, PostgreSQL, Solr, and dozens of others that Spring Boot manages for you.

Not every managed dependency is pulled into every application — it depends on your specific use cases. But when they are, Spring Boot selects specific versions for you. You can override those versions manually in your own build configuration, but doing so introduces additional overhead — and it’s easy to forget or miss.

‍

The Risk Grows

As libraries continue to evolve, more CVEs are discovered and fixed in newer patch versions. But with no mechanism in Spring Boot 2.7 to update those versions, the gap between the static dependency list and the secure, current versions of those libraries continues to widen.

Over time, this creates a growing backlog of unpatched vulnerabilities — not in your application code, and not in Spring itself, but in the libraries brought in through Spring Boot’s dependency management. The longer a system runs on an unmaintained version, the more likely it is to accumulate security debt in the form of outdated transitive dependencies.

Unless teams actively track and override those versions on their own, the risk compounds. What may seem like a stable and reliable baseline today can become a liability tomorrow.

‍

Patched Dependencies in HeroDevs NES for Spring

In the current HeroDevs NES for Spring release, we include newer versions of managed dependencies that eliminate 29 known CVEs present in Spring Boot 2.7.18. These CVEs exist in widely used libraries like Undertow, Tomcat, Elasticsearch, Jetty, Netty, PostgreSQL, and more.

Examples are below. Contact us to get a fully secure version of Spring Boot 2.7.

Undertow

• io.undertow:undertow-core@2.2.28.Final
  
  
  
  • CVE-2023-1973: Denial of Service
    
    
  • CVE-2023-4639: Cookie parsing issue
    
    
  • CVE-2024-1459: Path Traversal vulnerability
    
    
  • CVE-2024-1635: Uncontrolled Resource Consumption
    
    
  • CVE-2024-3653: Memory not released after lifetime
    
    
  • CVE-2024-5971: Denial of Service
    
    
  • CVE-2024-7885: Race Condition
    
    

RabbitMQ Java Client

• com.rabbitmq:amqp-client@5.14.3
  
  
  
  • CVE-2023-46120: Lack of Message Size Limitation leads to Remote DoS
    
    

Elasticsearch

• org.elasticsearch:elasticsearch@7.17.15
  
  
  
  • CVE-2023-49921: Sensitive information in logs
    
    
  • CVE-2024-23444: Private key stored unencrypted
    
    
  • CVE-2024-23450: Uncontrolled Resource Consumption
    
    
  • CVE-2024-43709: Resource allocation without throttling
    
    

Solr

• org.apache.solr:solr-core@8.11.2
  
  
  
  • CVE-2023-50291: Password leak via redaction logic
    
    
  • CVE-2023-50292: Schema Designer trusts configsets
    
    
  • CVE-2023-50386: Deploying executables via malicious configsets
    
    
• org.apache.solr:solr-solrj@8.11.2
  
  
  
  • CVE-2023-50298: Streaming Expressions allow data exfiltration
    
    

Logback

• ch.qos.logback:logback-core@1.2.12
  
  
  
  • CVE-2023-6378: Serialization vulnerability
    
    
  • CVE-2023-6481: Denial of Service from poisoned data
    
    

PostgreSQL

• org.postgresql:postgresql@42.3.8
  
  
  
  • CVE-2024-1597: Vulnerability in JDBC driver
    
    

Jetty

• org.eclipse.jetty.http2:http2-common@9.4.53.v20231009
  
  
  
  • CVE-2024-22201: Connection leak on idle timeout
    
    
• org.eclipse.jetty:jetty-server@9.4.53.v20231009
  
  
  
  • CVE-2024-8184: DoS via ThreadLimitHandler
    
    
• org.eclipse.jetty:jetty-servlets@9.4.53.v20231009
  
  
  
  • CVE-2024-9823: DoS vulnerability in DosFilter
    
    

Tomcat

• org.apache.tomcat.embed:tomcat-embed-core@9.0.83
  
  
  
  • CVE-2024-24549: DoS via HTTP/2 request validation
    
    
  • CVE-2024-34750: Denial of Service
    
    
  • CVE-2024-50379, CVE-2024-56337: TOCTOU Race Conditions
    
    
• org.apache.tomcat.embed:tomcat-embed-websocket@9.0.83
  
  
  
  • CVE-2024-23672: Incomplete cleanup DoS vulnerability
    
    

Netty

• io.netty:netty-codec-http_@4.1.101.Final
  
  
  
  • CVE-2024-29025

‍