diff --git a/documentation/user-guide/2.5/introduction/whats-new/2.5.md b/documentation/user-guide/2.5/introduction/whats-new/2.5.md
index a5be316..7a00590 100644
--- a/documentation/user-guide/2.5/introduction/whats-new/2.5.md
+++ b/documentation/user-guide/2.5/introduction/whats-new/2.5.md
@@ -37,6 +37,8 @@ to the Restlet Framework in version 2.5.
 * __Removals__
   * removed extensions deprecated in version 2.4: EMF, JavaMail, JAX-RS, JibX, Lucene, NIO, OAuth, OpenID, Platform, RAML, Simple, WADL
   * removed native Restlet XML configuration feature. Please use Spring for an alternative approach if needed.
+* __Security__
+  * Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. Restlet Framework isn't able to upgrade to Spring Framewortk version 6.0 due to its requirement to use Java 8. If you are running Java 17+, please override the Spring dependency in your POM to version 6.0+
 * __Misc__
     * deprecated GAE, OSGi and RDF extensions for removal in next major release.
     * deprecated SDC, SIP protocol and challenge scheme