If you have a security scan flagging a dependency of a CVE (vulnerability) that is used Spring, you should not wait for their next update cycle to update it. You can update it yourself, find out how in this post.