Upgrade to Spring Boot 3.5.13

[fdevans]

Upgrades Spring Boot from 3.5.11 to 3.5.13.

Security

This upgrade addresses four CVEs across Spring Boot and Spring Framework 6.2.17 (bundled in 3.5.13):

Spring Boot (fixed in 3.5.12):

• CVE-2026-22731 (High, CVSS 8.2) — Authentication bypass under Actuator Health group paths
• CVE-2026-22733 (High, CVSS 8.2) — Authentication bypass under Actuator CloudFoundry endpoints

Spring Framework 6.2.17 (bundled in Spring Boot 3.5.12+):

• CVE-2026-22735 (Low, CVSS 2.6) — Server-Sent Event stream corruption in Spring MVC/WebFlux
• CVE-2026-22737 — Information disclosure via path traversal in script view templates

Notable changes in 3.5.13

• Jackson upgraded to 2.21.2 — the Jackson team has ended support for 2.19.x and 2.20.x
• Hibernate 6.6.45.Final
• Tomcat 10.1.53
• Netty 4.1.132.Final
• Undertow 2.3.24.Final

Full release notes: https://github.com/spring-projects/spring-boot/releases/tag/v3.5.13

[testlens-app]

✅ All tests passed ✅

🏷️ Commit: b297120
▶️ Tests: 40170 executed
⚪️ Checks: 31/31 completed

---

Learn more about TestLens at testlens.app.

[jdaugherty]

Release announcement here: https://spring.io/blog/2026/03/26/spring-boot-3-5-13-available-now

FYI: Because of the recent trivy & TeamPCP compromise, the Grails team has decided to hold off on upgrading Spring until next week. We want to make sure there are no wider ecosystem impacts prior to release. The expectation is to merge this later this week and then call for a 7.0.x vote & 7.1.x vote.

[jdaugherty]

I am discussing with other team members merging this since a 3 day vote window would still put the release on Friday.

[jdaugherty]

https://guide.sonatype.com/component/maven/org.springframework.boot:spring-boot-dependencies/3.5.13 shows Spring is malware free.