fix(deps): update dependency org.springframework:spring-webflux to v6.2.17 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework:spring-webflux	6.2.11 → 6.2.17

GitHub Vulnerability Alerts

CVE-2026-22735

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

CVE-2026-22737

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-webflux)

v6.2.17

Compare Source

⭐ New Features

• Leverage ResourceHandlerUtils in ScriptTemplateView #​36459
• Restore ScriptTemplateViewTests #​36457
• Fix log message in ConfigurationClassBeanDefinitionReader #​36454
• Resolve context initializers only once in AbstractTestContextBootstrapper #​36431
• Exclude legacy @javax.validation.Constraint from convention-based annotation attribute override check #​36412
• Optimize MediaType(MediaType, Charset) constructor #​36351
• Optimize the addition of a charset to the MediaType in AbstractHttpMessageConverter #​36350
• Consistent adaptation of HTTP headers on Servlet responses #​36345
• Improve performance of validation groups determination in WebFlux #​36337
• Detect all common size exceptions from Tomcat and Commons FileUpload 2.x #​36324

🐞 Bug Fixes

• Guard against invalid id/event values in Server Sent Events #​36442
• Incomplete debug message in ConfigurationClassBeanDefinitionReader #​36411
• Inconsistent ApplicationEventMulticaster state after removing ApplicationListener implemented by FactoryBean #​36405
• Graceful shutdown of SimpleAsyncTaskExecutor #​36384
• HttpMediaTypeException thrown when calculating compatible media types #​36363
• ResolvableType#getGenerics() breaks serialization #​36347
• Multipart upload leak on client abort (ByteBuf.release() not called) #​36327

📔 Documentation

• Document @Fallback alongside Primary in the reference manual and @Bean Javadoc #​36441
• Document registration recommendations for BeanPostProcessor and BeanFactoryPostProcessor #​36436
• Fix links to UriComponentsBuilder and polish examples #​36406
• Emphasize @Configuration classes over XML and Groovy in testing chapter #​36394
• Polish SpEL operator examples in reference docs #​36375

🔨 Dependency Upgrades

• Upgrade to JUnit 5.14.3 #​36388
• Upgrade to Micrometer 1.15.10 #​36446
• Upgrade to Reactor 2024.0.16 #​36445

v6.2.16

Compare Source

⭐ New Features

• Improve performance of hashcode calculations for request mappings #​36297
• Improve performance of HandlerMethod bean lookup #​36296
• Improve performance of validation groups determination #​36295
• Improve performance of single pattern request mappings #​36294
• Optimize NamedParameterUtils#buildValueArray by lazily fetching SqlParameter #​36232
• Consistently close streams through try-with-resources in FileCopyUtils #​36224
• SqlBinaryValue and SqlCharacterValue should support InputStream content with undetermined length #​36220
• DataBufferUtils.write() with NettyDataBuffer on JDK 25 hangs indefinitely #​36189
• WebClient (Reactor) attributes on Netty channel do not clear after connection release #​36163
• Reintroduce WebLogicJtaTransactionManager in Spring Framework 6.2.x #​36152
• DisconnectedClientHelper should detect presence of RestClientException and WebClientException separately #​36150
• Add DataAccessException and MessagingException to the excluded outermost exceptions in DisconnectedClientHelper #​36135
• Improve user check in TransportHandlingSockJsService #​36129

🐞 Bug Fixes

• Avoid lock congestion in ConcurrentReferenceHashMap #​36308
• Resolved HttpEntity Controller argument does not reflect mutated HTTP headers #​36301
• AbstractMessageConverter does not support wildcards in supported MIME types #​36286
• Make LocalEntityManagerFactoryBean#setDataSource work on Hibernate as well as EclipseLink #​36272
• Deadlock might occur when calling System.exit on startup (against multiple shutdown hooks) #​36268
• Netty4HeadersAdapter.remove returns empty list instead of null for non-existing key #​36227
• EclipseLinkConnectionHandle can fail against transaction isolation race condition #​36166
• WiretapConnector leaks data buffers when response body not consumed #​36051
• UriComponentsBuilder loses the fragment when it consists of only a single character #​36035
• SimpleBeanInfoFactory fails to reliably resolve read/write methods in type hierarchies with unresolved generics #​36026

📔 Documentation

• Fix links to JUnit User Guide #​36218
• Fix LocalContainerEntityManagerFactoryBean#setPersistenceUnitName javadoc #​36206
• Update documentation on trailing slash handling where type-level @GetMapping("/base") is combined with method level @GetMapping("/") #​36200
• Update documentation on the MediaType used for ProblemDetail #​36193
• Replace getErrors() with getBindingResult() in examples #​36172
• Upgrade Antora dependencies #​36106
• Fix typos and grammar #​36023

🔨 Dependency Upgrades

• Bump fast-xml-parser from 4.5.2 to 5.3.4 in /framework-docs #​36239
• Upgrade to ASM 9.9.1 and Objenesis 3.5 #​36244
• Upgrade to JUnit 5.14.2 #​36148
• Upgrade to Micrometer 1.15.9 #​36290
• Upgrade to Reactor 2024.0.15 #​36289

v6.2.15

Compare Source

⭐ New Features

• Avoid package cycle caused by use of UriComponentsBuilder in ServletServerHttpRequest #​35954
• DefaultHandshakeHandler should not log client faults on error level #​35948
• Use concurrent set behind reactive TransactionSynchronizationManager#registerSynchronization #​35922
• Expose Collection on FragmentsRendering to facilitate Unit Tests #​35912
• Different ReactorNettyWebSocketSession call getId() may return the same value #​35911
• Enhance handleTypeMismatch error message in ResponseEntityExceptionHandler #​35878

🐞 Bug Fixes

• NullPointerException thrown from JdkClientHttpRequestFactory for null request header value #​35998
• State inconsistency in LazyConnectionDataSourceProxy when connection settings fail #​35981
• SubscriberInputStream#resume misuses parked thread reference #​35979
• PathMatchingResourcePatternResolver fails with URI in JAR manifest Class-Path entries #​35967
• Strong locking in ConcurrentReferenceHashMap#computeIfAbsent may cause context initialisation deadlock #​35945
• BridgeMethodResolver change in 6.2.13 breaks Spring Data entity introspection #​35941
• DefaultMessageListenerContainer does not clear Session and MessageConsumer for paused invokers #​35935
• Tighten cacheable decision behind @Lazy injection point #​35918
• Use provided ReactiveAdapterRegistry in BindingContext constructor #​35914
• Accidental fallback match for Collection-type beans due to @Bean-level qualifier annotation #​35909
• SortedResourcesFactoryBean does not accept non-existent resources anymore #​35896

📔 Documentation

• Document that annotations are ignored if attributes reference types not present in the classpath #​35973
• Fix broken Javadoc links to methods #​35904
• Refer to "Spring Tools" instead of "Spring Tools for Eclipse" in reference manual #​35902
• Clarify JMS sessionTransacted flag for local versus global transaction #​35898
• Reference docs should not use obsolete "junit5" links #​35893
• Testing chapter references nonexistent Dependency Management documentation #​35891

🔨 Dependency Upgrades

• Upgrade to json-path 2.10.0 #​35937
• Upgrade to Micrometer 1.14.14 #​35986
• Upgrade to Reactor 2024.0.13 #​35987

v6.2.14

Compare Source

⭐ New Features

• Add resetCaches() method to Caffeine/ConcurrentMapCacheManager #​35841
• Fix single-check idiom in UnmodifiableMultiValueMap #​35831
• Fix Spliterator characteristics in ConcurrentReferenceHashMap #​35828

🐞 Bug Fixes

• MissingPathVariableException produces wrong status code in ProblemDetail #​35856
• Fix getCacheNames() concurrent access in NoOpCacheManager #​35844
• Annotation discovery regression for interfaces extending BeanNameAware and co. #​35838
• Fix HtmlUtils unescape for supplementary chars #​35832

📔 Documentation

• Fix cross-reference links in HtmlUnit sections #​35857
• Remove @see Javadoc references to deprecated PropertiesBeanDefinitionReader #​35854

v6.2.13

Compare Source

⭐ New Features

• Support response encoding in select and options JSP form tags #​35783
• Preserve Connection readOnly state for DataSource with defaultReadOnly configuration #​35743
• Optimize resource URL resolution in SortedResourcesFactoryBean #​35687
• Relax multiple segment matching constraints in PathPattern #​35686
• Support wildcard path elements at the start of path patterns #​35679
• Validating byte[]s may produce OutOfMemoryError #​35675
• Update in FragmentsRendering to names of static methods #​33974

🐞 Bug Fixes

• ConcurrentReferenceHashMap misses dedicated computeIfAbsent, computeIfPresent, compute, merge implementations #​35794
• Avoid unnecessary bridge method resolution around getMostSpecificMethod #​35780
• Fix multi-release JAR issue with VirtualThreadDelegate #​35773
• ContentNegotiationManager not finding media type when request includes quality parameter #​35754
• Race condition in BufferingClientHttpResponseWrapper.getBody() #​35745
• Deprecate setConnectTimeout on HttpComponentsClientHttpRequestFactory #​35748
• Fix PathMatchingResourcePatternResolver to handle absolute paths in JAR manifests #​35732
• BeanDefinitionBuilder.addAutowiredProperty causes error during AOT processing #​35731
• Improve HttpServiceMethod support for Kotlin suspending functions returning Flow #​35718
• Exception translation does not expose original BatchUpdateException anymore #​35717
• Add hints for entities package-private methods #​35711
• Fix concurrency permit leak causing deadlock in SimpleAsyncTaskExecutor #​35708
• Remove jibx-marshaller element from spring-oxm.xsd #​35699
• NullPointerException When Handling 407 with JdkClientHttpConnector in WebClient #​35692
• Method-based Map injection fails against target Map with incomplete generics despite bean name or qualifier match #​35690
• JUnit Jupiter TEST_METHOD ExtensionContextScope is not fully supported #​35680
• Introduce isAutowirableConstructor(Executable, PropertyProvider) in TestConstructorUtils and deprecate existing variants #​35676
• Reflection on java.sql.Types without runtime hints #​35674
• getPubliclyAccessibleMethodIfPossible() returns hidden static method #​35667
• RestClient hangs during upload with ReactorClientHttpRequestFactory #​34707

📔 Documentation

• Correct formatting for Mono type #​35786
• Improve Java Bean Validation documentation for controller methods #​35759
• Fix typo in @NumberFormat Javadoc #​35742
• Javadoc of AsyncConfigurer does not match runtime behavior #​35736
• Document PathPattern behavior difference between */{name} and **/{*path} #​35727
• Fix minor typo in RestClient documentation #​35723
• Document test-method scoped TestContext semantics #​35716
• Improve docs on AbstractStreamingClientHttpRequest for streaming vs buffering mode #​35700
• Fix minor typo in JDBC Core Classes documentation #​35684
• Fix typos #​35656
• Improve spring-web filter documentation #​30454

🔨 Dependency Upgrades

• Upgrade to ASM 9.9 plus lenient version check patch #​35763
• Upgrade to Jetty 12.0.30 #​35806
• Upgrade to Micrometer 1.14.13 #​35810
• Upgrade to Reactor 2024.0.12 #​35809

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Anxton, @​Artur-, @​HJC96, @​MoadElfatihi, @​NYgomets, @​cbsingh1, @​dmitrysulman, @​ekcom, and @​scordio

v6.2.12

Compare Source

⭐ New Features

• Add "forEachByte" variant to DataBuffer for efficient traversing #​35623
• Nested transaction support via savepoints is broken in HSQLDB database [followup] #​35618
• Improve exception handling in ConfigurationClassBeanDefinitionReader #​35631
• Add MySQL/MariaDB to TableMetaDataProviderFactory for correct generated-keys support #​35593
• Optimize state management in StompSubProtocolHandler #​35591
• ServletServerHttpRequest.getRemoteAddress() may perform DNS lookup #​35589
• Emit log message when multiple primary beans are detected #​35550
• Duplicate key error is mapped to TransientDataAccessException by SQLStateSQLExceptionTranslator for BatchUpdateException #​35547
• Remove redundant object allocation in cglib proxy method calls #​35543
• Remove deprecation on CandidateComponentsIndex and CandidateComponentsIndexLoader #​35472
• Processing response with no Content-Length header and no body raises EOFException #​35361

🐞 Bug Fixes

• DefaultListableBeanFactory::getBeanNamesForType does not always return all bean names #​35634
• Consider defaultCandidate for scoped proxies #​35627
• Release data buffer in AbstractCharSequenceDecoder even when String creation fails #​35625
• PathMatchingResourcePatternResolver is not able to resolve file in SpringBoot Packaged JAR #​35617
• Prevent NoClassDefFoundError when Jetty Reactive HttpClient is not available #​35608
• Performance regression with Property Placeholder Resolution #​35594
• Retain order of produces media types in @ExceptionHandler #​35587
• Nested transaction support via savepoints is broken in HSQLDB database #​35564
• SpEL expression parser uses more CPU after upgrade to 6.2.9 #​35556
• Thread race during FactoryBean instantiations starting with 6.2 due to lenient locks #​35545
• Update parsed path handling in UrlHandlerFilter #​35538
• ResourceHttpMessageWriter.write has unexpected error handling for invalid range requests (offset > content length) #​35536
• AbstractTestNGSpringContextTests is not thread-safe regarding tracked exceptions #​35528
• UrlHandlerFilter breaks RequestDispatcher.forward() on Tomcat #​35509
• AbstractMockHttpServletRequestBuilder#buildRequest is not idempotent #​35493
• Add support for JvmDefault (default in Kotlin 2.2.20+) #​35487
• InstanceSupplierCodeGenerator fails to detect deprecated type on package private factory method #​35486
• Fix synchronization in ResponseBodyEmitter #​35466
• useCaches option in PathMatchingResourcePatternResolver not applied in special case #​35465
• Deadlock during context initialization due to EntityManager lock #​35398

📔 Documentation

• Improve guidance in WebFlux on how to join inbound and outbound streams in WebSocketHandler #​35572
• Fix idref example in reference manual #​35560
• Fix URI Patterns docs in WebMVC and WebFlux Request Mapping #​35551
• Allow event listener method declared with multiple event classes to take a single parameter that is assignable from all of those event classes #​35506
• Improve Task Javadoc about Runnable wrapping #​35394

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.14.12 #​35640
• Upgrade to Reactor 2024.0.11 #​35638

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Entea, @​IMurzich, @​hosea, @​maziyarbahramian, @​mlichtblau, @​nstdio, @​reckart, and @​reda-alaoui

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!