Spring Boot 3.5 EOL — The CVE Blind Spot Nobody Talks About

Spring Boot 3.5 reaches end of open-source support on June 30, 2026, but the real risk isn't the migration — it's what happens to CVE reporting afterward. Once a project goes EOL, security researchers stop filing reports against it, maintainers stop triaging, and the CVE pipeline dries up. Vulnerabilities don't disappear; they just stop being recorded. Bad actors exploit this gap by testing CVEs found in supported branches against EOL versions that will never receive patches. Spring Boot 2.7's post-EOL trajectory (e.g., CVE-2024-38807 with no open-source fix) illustrates the pattern. Teams still on 3.5 after June 2026 risk running what the author calls 'zombie dependencies' — technically present, functionally dead from a security standpoint, with scanners showing green while hidden vulnerabilities accumulate. The advice: assess the 3.5-to-4.0 migration scope now, before the silence sets in.