fix(deps): update dependency org.springframework:spring-webmvc to v6.2.10 [security]

[alaudaa-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework:spring-webmvc	6.2.7 -> 6.2.10

---

Spring Framework MVC Applications Path Traversal Vulnerability

CVE-2025-41242 / GHSA-r936-gwx5-v52f

More information

Details

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.

An application can be vulnerable when all the following are true:

• the application is deployed as a WAR or with an embedded Servlet container
• the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization
• the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling

We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-41242
• https://github.com/spring-projects/spring-framework
• http://spring.io/security/cve-2025-41242

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-webmvc)

v6.2.10

⭐ New Features

• Optimize NIO path resolution in PathEditor #​35304
• Make type in ProblemDetail nullable #​35294
• Refine UriUtils#decode and StringUtils#uriDecode implementation and documentation #​35253
• Provide configurable useCaches option for URLConnection usage in UrlResource (avoiding jar file leak) #​35218

🐞 Bug Fixes

• @Scheduled tasks running in SimpleAsyncTaskScheduler are interrupted immediately on context close #​35254
• ScriptUtils.executeSqlScript() does not support multiple results per statement #​35248
• Successful Autowiring Dependent on Configuration ordering and Primary Bean flag #​35239
• Locale parameter in MessageSource#getMessage methods should be nullable #​35230
• Allow any @Transactional propagation for @TransactionalEventListener with BEFORE_COMMIT phase #​35150
• Catalog name should be handled with the provided case #​35064
• Accept support for generated keys column name array on HSQLDB and Derby as well #​34790
• Handle direct CanncelationException on timeout in JdkClientHttpRequest #​34721

📔 Documentation

• Add documentation of RequestMapping about SpEL #​35232
• Document SqlBinaryValue behaviour with PostgreSQL #​34786

🔨 Dependency Upgrades

• Upgrade to Micrometer 1.14.10 #​35313
• Upgrade to Reactor 2024.0.9 #​35312

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Allan-QLB, @​carsago, @​cw-dimedis, and @​giampa91

v6.2.9

⭐ New Features

• OncePerRequestFilter cannot be CGLib-proxied #​35198
• Consistently catch InaccessibleObjectException next to IllegalAccessException #​35190
• Introduce Date-to-Instant and Instant-to-Date converters #​35175
• Consistent nullability and exception declarations in AbstractMessagingTemplate hierarchy #​35159
• Register runtime hints for Instant-to-Timestamp conversion #​35156
• Improve handling of ResponseEntity<?> in Spring MVC #​35153
• Support @CacheConfig("myCacheName") declarations for simplified configuration #​35152
• Declare messageSelector parameters in JmsOperations as @Nullable #​35151
• Add getter for OverflowStrategy in ConcurrentWebSocketSessionDecorator #​35132
• Use preset Content-Type for streaming and reactive responses in Spring MVC #​35130
• Leniently tolerate null @Aspect bean #​35074
• DataAccessResourceFailureException thrown when transaction times out on PostgreSQL #​35073
• MethodInvokingFactoryBean fails to invoke publicly exported methods overridden by internal classes when using JPMS #​34028

🐞 Bug Fixes

• Restore preference for interface (most abstract) method in getPubliclyAccessibleMethodIfPossible #​35189
• Make targetBeanName field in AbstractBeanFactoryBasedTargetSource protected to avoid exceptions in logging and toString() #​35172
• Fix inconsistencies in StaticListableBeanFactory #​35119
• Support StreamingHttpOutputMessage in RestClient #​35102
• When building DELETE requests, the request body is not used in JdkClientHttpRequest.buildRequest #​35068
• AOT-generated bean registration file contains "too many constants" when building with many beans #​35044
• Prevent cache pollution by storing only the factories #​34732
• WebFlux decodes wildcard content-types as form-data/multipart #​34660
• AOT-generated CGLib proxies do not contain method overrides #​34642
• 500 response for ResourceHttpRequestHandler when requested range is not satisfied #​34490

📔 Documentation

• Document how to register runtime hints for convention-based conversion #​35178
• Link to @ContextConfiguration Javadoc from reference manual #​35088

🔨 Dependency Upgrades

• Upgrade to JUnit 5.13.3 #​35103
• Upgrade to Micrometer 1.14.9 #​35202
• Upgrade to Reactor 2024.0.8 #​35201

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Meijuh, @​RazorNd, @​chenggwang, @​izeye, @​mjd507, @​ngocnhan-tran1996, and @​philwebb

v6.2.8

⭐ New Features

• Nullability @Contract declaration for CodeFlow.isIntegerForNumericOp() is unnecessary #​34985
• Serializer hint registration is broken for some Kotlin classes #​34979
• Clients created using JdkClientHttpRequestFactory set content-length for GET, DELETE and HEAD requests #​34971
• Support registration of non-public BeanDefinitionReader via @ImportResource #​34928
• Make max size for pattern cache in PathPatternMatchableHandlerMapping configurable #​34918
• Add optimized DataBufferInputStream overrides #​34799

🐞 Bug Fixes

• Encode non-printable character in Content-Disposition parameter #​35034
• Allow update of existing WebSession after max sessions limit is reached #​35013
• Fix support for collections in AbstractKotlinSerializationHttpMessageConverter #​34992
• PathPattern#combine throws StringIndexOutOfBoundsException #​34986
• Fix AOT code generation for autowired inner class constructor #​34974
• AbstractFileResolvingResource.exists closes JAR resource input streams with v6.2.7 #​34955
• Enhanced configuration class fails to call package-visible superclass constructor on WebSphere #​34950
• Fix REPLY_CHANNEL header check in MessageHeaderAccessor #​34949
• MockEnvironment does not accept Object property values #​34947
• PropertySourcesPlaceholderConfigurer no longer uses ConversionService from Environment #​34936
• @Contract for StreamUtils.drain() incorrectly declares null results in an exception #​34933
• Inconsistent behavior injecting null @Bean factory parameter #​34929
• MockHttpServletRequest.addHeader duplicates "Content-Type" header #​34913
• BeanUtils.getParameterNames fails for Kotlin data classes #​34760
• JAXB message converters ignore Content-Type charset #​34745
• Aspect Not Triggered After Restart in Spring Boot 3.4.x (But Works in 3.3.10) #​34735
• Add caching headers to unmodified static resources #​34614

📔 Documentation

• Apply gh-34856 to MockClientHttpRequest in testfixture package #​35031
• Fix ResourceHttpRequestHandler#setHeaders JavaDoc #​35004
• Remove reference to AspectJ Eclipse Javadoc #​35000
• Mention CompletableFuture in Spring MVC "Asynchronous Requests" section of reference manual #​34991
• Fix exception name in ModelAttribute docs #​34980
• Fix syntax in @SqlGroup example #​34972
• Update X-Forwarded-Proto doc to say https / http #​34959
• Update Guidance on Best Practices To Test Code That Uses RestClient and RestTemplate #​34892
• Add a section for WebAsyncTask in mvc-ann-async.adoc #​34885
• Clarify what @RestControllerAdvice vs @ControllerAdvice apply to by default #​34866
• Improve Javadoc for @ExceptionHandler #​34554

🔨 Dependency Upgrades

• Upgrade to HttpComponents HttpClient 5.5 #​34941
• Upgrade to Micrometer 1.14.8 #​35020
• Upgrade to Reactor 2024.0.7 #​35021

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Allan-QLB, @​Aurh1l, @​BowieDu, @​DhruvTheDev1, @​Dongnyoung, @​JimmyAx, @​addoDev, @​dmitrysulman, @​izeye, @​jjank, @​kilink, @​mbazos, @​msnsaeed71, @​ngocnhan-tran1996, @​nosan, @​remeio, @​vpavic, and @​yuzawa-san

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.