Spring deprecation

October 29, 2025

Using Spring Framework in custom Jahia modules has been deprecated in Jahia since version 8.2. No new Jahia development will utilize Spring Framework, and we are actively phasing out its existing use. We strongly advise you to do the same in your custom code.

Critical security concerns: Jahia core and some of our supported modules currently use old versions of the Spring Framework library. These versions are known to contain multiple vulnerabilities, including some rated as critical and high severity. We regularly check if Jahia core and our officially supported modules are affected by newly reported Spring vulnerabilities:

  • If we find that Jahia core or a supported module is vulnerable, we will either backport fixes to our forked Spring version or provide alternative mitigations. These solutions will be communicated through security notifications, similar to other vulnerability reports.
  • If we determine that Jahia core or a supported module is not directly exposed to a specific vulnerability (because we do not use the vulnerable Spring feature), we will not take immediate action. 

Customer Responsibility (if you are using Spring Framework inside your modules): Even if Jahia core and supported modules are not directly exposed to a security vulnerability, your custom modules and code might still be. You are responsible for mitigating such risks. We recommend you take the following actions:

  • Thoroughly examine your custom codebase to determine if it uses any vulnerable Spring Framework features or methods.
  • Remove any usage of the Spring Framework from your custom code. If you're facing a limitation in implementing your requirements without leveraging the Spring Framework, you can contact our support team.
  • Stay informed about Spring vulnerabilities by regularly checking spring.io/security.

To determine the Spring version currently used by your Jahia instance, navigate to Administration > Server > System > System information and search for "spring-core-".

In summary: Jahia's Spring usage poses some specific security risks. We are taking steps to mitigate vulnerabilities within our core and supported modules, but you bear the ultimate responsibility for securing your custom code. We strongly recommend migrating away from Spring Framework as soon as possible.