Spring is 23 years old. AI just made it a security emergency.
AI is rewriting the rules of software security, and the Java ecosystem — the backbone of enterprise computing for more than 30 years — is feeling it in real time.
Broadcom is the steward of the open-source Spring Framework and announced Monday what it’s calling the largest set of Spring security updates to be open-sourced in the framework’s 23-year history.
The company is also bringing its SLSA Level 3-validated, clean-room-built Java dependencies to the entire Spring ecosystem for enterprise Tanzu Spring customers, who will also get day-zero access to CVE-only patches before they reach the open source community. The motivation is clear: Monthly security advisories reported to Broadcom by the Spring community jumped more than 1,700% from March to April 2026.
That sharp spike was driven up in part by foundation models that can analyze codebases at a scale and speed no human security team can match. The development bottleneck has moved from finding vulnerabilities to fixing them fast enough.
Holger Mueller, analyst at Constellation Research, tells The New Stack that AI is changing the game.
“Look at the jump in vulnerabilities for the secure enterprise Spring framework. AI is changing the game all across the stack and is phenomenal to identify vulnerabilities in existing code,” Mueller says. “It is good to see Broadcom as the steward of the popular Spring framework doing the right thing and quickly fixing the found vulnerabilities and making Spring AI era-ready. But let’s not be fooled. This is not a sprint; it’s a marathon. But for now, Broadcom is off to a good start.”
Java’s AI moment raises the stakes
The stakes are high because Spring is everywhere. The framework runs in more than half of Fortune 500 companies. And its footprint is only growing more consequential as Java becomes the default language for running AI in production. According to Azul’s 2026 State of Java Survey — drawn from more than 2,000 Java professionals — 62% of enterprises now use Java to code AI functionality, up from 50% a year ago. Python may own the model-building and prototyping layer, but Java is where those models actually run a business.
The CVE burden is already crushing teams
Java professionals know security is now tablestakes for staying competitive in that environment. When Azul asked respondents what capabilities Java would need in an AI-enabled development landscape, built-in security features ranked second at 34%, right behind long-term support. And the CVE burden is already hitting teams hard: 56% now deal with Java-related CVEs on a daily or weekly basis, up from 41% in 2025. Thirty percent say their teams waste more than half their time chasing false positives — scanners flagging vulnerabilities in code paths that never actually execute in production.
Two tracks: Open source and enterprise
Broadcom’s response runs on two tracks.
For the open source Spring community, the company has scaled its use of frontier model-based scanning and validation workflows to identify and remediate vulnerabilities across the dependency ecosystem — the largest such investment in Spring’s history, Broadcom says.
For paying Tanzu Spring customers, the new offering front-runs open source releases with day-zero, CVE-only patches delivered through the Spring Enterprise Repository. Isolating the security fix from any other change is the point: it lets enterprise teams remediate faster without the risk of picking up unintended changes alongside the patch.
100,000 validated builds
The supply chain piece is substantial. Broadcom is extending its clean-room build architecture — the same approach that underpins Bitnami — across the full transitive dependency graph managed by the Spring Boot bill of materials. Spring Boot 4.0 alone manages 1,768 dependencies. Across the full supported portfolio, the investment covers more than 100,000 validated dependency builds, spanning both current and end-of-life Spring versions.
“Spring is one of the most widely adopted application development frameworks in the world, and as its steward, we have a deep responsibility for its security,” says Purnima Padmanabhan, VP and GM of the Tanzu Division at Broadcom, in a statement. “Because we maintain Spring and are the sole committers, we can better secure it at the source for everyone who depends on it.”
The sole committers question
That “sole committers” positioning is worth a second look. Spring is an open-source project, and Broadcom’s tight grip on it — inherited through the VMware acquisition — has been a point of friction within the developer community. The company is presenting exclusive stewardship as a security advantage. Whether the broader Spring community sees it that way is a different question.
A marathon, not a sprint
What isn’t in question is the scale of the problem Broadcom is responding to. AI is making it trivially easy to find vulnerabilities in code that has been sitting quietly in production for years. The dependency graphs for modern Spring applications run deep. And as Java becomes the runtime layer for enterprise AI, the cost of a supply chain compromise goes up. Broadcom is betting that enterprise customers will pay for the speed and certainty that day-zero CVE access and a verified dependency chain provide.
Mueller’s marathon framing is probably the right one. This is not a problem that gets solved in a release cycle.
