Protect your older, vulnerable Java dependencies with patched builds, allowing you to upgrade on your own schedule and avoid having to ask the security team for an exception.
The world’s leading companies trust Chainguard
Why Chainguard?
Every Java package you need from a secure source
CVE backports for hard to upgrade versions
Quiet your scanner with backported fixes for critical and high-severity CVEs in the Spring Boot ecosystem.
Proactive malware prevention
Stay protected from the next intra-ecosystem credential-stealing worm that hits Maven Central.
Verified integrity
Every Chainguard-built version comes with signed provenance and SBOMs so you have proof every binary matches its source code.
Expertise and experience
The leading open source minds driving the industry forward, delivering new innovations for developers.t
Don’t break your critical app to fix a vulnerability
Stay secure without the forced refactor. Chainguard backports upstream fixes for critical and high-severity CVEs directly into our malware-free dependency catalog. You get the security of the latest patch with the stability of your current version, giving your team ore time to plan upgrades on your terms.
CVE-2024-38819
Remediates a vulnerability in Spring Boot that allows for attackers to craft malicious HTTP requests to pull any file there server can read.
CVE-2026-22732
Remediates a Spring Boot Security vulnerability where security headers like X-Frame-Options are silently dropped from HTTP responses.
CVE-2026-22733
Remediates a vulnerability in Spring Boot’s CloudFoundry Actuator integration that allows attackers to reach private endpoints.
CVE-2026-22737
Remediates a vulnerability in Spring Framework’s scripting engine template views that exposes files outside configured template directories.
Built for teams where speed and security are non-negotiable
Financial services
Your transaction processing and fraud detection systems run on Spring Boot and a vulnerable dependency is the last thing standing between you and a security incident that makes the news.
Healthcare and insurance
Your claims processing and patient data systems can’t go down for unplanned upgrades, and backported CVE fixes let you stay compliant with HIPAA and GDPR without rearchitecting your platform.
Enterprise SaaS
Your enterprise customers’ security teams will find every CVE in your stack before you close, so ship with patched Java packages and skip the remediation back-and-forth that stalls deals.
Covers all of your dependencies
Access the backend stack you need, such as Spring Boot, Maven, and Hibernate, along with every other dependency your application requires.
Signed, sealed, and dependable
Every version comes built with full provenance and signed SBOMs, so you have indisputable proof that your dependencies came from the SLSA L3-compliant Chainguard Factory, not a vulnerable maintainer’s machine.
Works with your existing tooling
Chainguard Libraries works with your existing artifact managers and workflows. Each package has the same functionality as to what you’ll find on Maven Central, so there are no breaking changes. Your engineers won’t notice a difference.
Explore the rest of Chainguard’s product suite
Related resources