The Wire · Showcase
SPRING BOOT FIXES MAIL SECURITY GAP, SPRING AI RESTORES PDF HANDLING
By RepoJournal · Filed · About Spring
Spring Boot 4.0.7 patches a hostname verification bypass in MailSender auto-configuration while Spring AI closes a critical regression that broke PDF document parsing in Claude and GPT models.
Spring Boot 4.0.7 landed overnight with a security fix for MailSender auto-configuration that was silently disabling hostname verification [1]. This is the kind of silent-fail security issue that ships undetected in production. Spring AI simultaneously shipped a fix restoring PDF media mapping in OpenAiChatModel [2], which broke in the 2.0 rewrite onto the official OpenAI SDK. PDFs were falling through to base64 text instead of parsed documents. Spring AI also fixed MCP integration test flakiness [3] by gracefully closing servers, tuning timeouts to 60s, and standardizing container images. Across the stack, Spring Integration hardened two critical bugs: a multibyte character offset issue in DatagramPacketMessageMapper [4] that corrupted UDP messages with non-ASCII headers, and a Math.abs() overflow in PartitionedDispatcher [5] that crashed with Integer.MIN_VALUE. Spring Boot dependency management got realigned [7], removing Protobuf Common Protos management to let gRPC Java control the version transitively. Spring AI replaced deprecated Jackson methods [6], migrating from asText() to asString() and switching to jspecify annotations for null safety.
Action items
- → Upgrade Spring Boot to 4.0.7 immediately if using MailSender auto-configuration spring-projects/spring-boot [immediate]
- → Update Spring AI to latest if handling PDF documents in chat models spring-projects/spring-ai [immediate]
- → Patch Spring Integration 7.x for UDP multibyte and partition dispatcher fixes spring-projects/spring-integration [plan]
- → Monitor Spring Boot gRPC alignment; verify Protobuf version consistency in your builds spring-projects/spring-boot [monitor]
References
- [1] (4.0.x): Bump org.springframework.boot from 4.0.6 to 4.0.7 ↗ spring-projects/spring-credhub
- [2] Restore PDF media mapping in `OpenAiChatModel` spring-projects/spring-ai
- [3] Fix MCP integration tests flakiness spring-projects/spring-ai
- [4] GH-11115: Fix multibyte ack-header offset in DatagramPacketMessageMapper spring-projects/spring-integration
- [5] GH-11114: Fix `PartitionedDispatcher` for `Integer.MIN_VALUE` spring-projects/spring-integration
- [6] Replace deprecated JsonNode methods and null-safe annotations spring-projects/spring-ai
- [7] Remove dependency management for Protobuf Common Protos spring-projects/spring-boot
FAQ
- What changed in Spring on June 16, 2026?
- Spring Boot 4.0.7 patches a hostname verification bypass in MailSender auto-configuration while Spring AI closes a critical regression that broke PDF document parsing in Claude and GPT models.
- What should Spring teams do about it?
- Upgrade Spring Boot to 4.0.7 immediately if using MailSender auto-configuration • Update Spring AI to latest if handling PDF documents in chat models • Patch Spring Integration 7.x for UDP multibyte and partition dispatcher fixes
- Which Spring repositories shipped on June 16, 2026?
- spring-projects/spring-credhub, spring-projects/spring-ai, spring-projects/spring-integration, spring-projects/spring-boot