esapi-2.7.0.0

[kwwall]

Full Release Notes

Release notes for ESAPI release 2.7.00 are located at:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.7.0.0-release-notes.txt

What's Changed

• This is a major patch release with the primary intent of addressing CVE-2025-5878, the details of which are spelled out in Security Bulletin #13.
  • Major Javadoc enhancements, corrections, and clarifications.
  • Deprecated methods, interfaces, and classes.
  • The reference implementation for the Encoder.encodeForSQL interface is now disabled by default and must be explicitly enabled if you absolutely much use it. (WARNING: You shouldn't!) Instructions on how to enable it are provided in Appendix B of Security Bulletin #13. You will find the updated ESAPI.properties file in the configuration jar helpful.

• This release also updates Apache Commons FileUploads to 1.6.0 to address CVE-2025-48976. That CVE likely does not affect the HTTP.getFileUloads interfaces (which is the only methods that use that library), but we have not had time to analyze it fully given the CVE cited against ESAPI.
• Apache Commons BeanUtils was also updated to 1.11.0 to address CVE-2025-48734 which potentially could anyone using ESAPI's AccessController and has placed their access control policy in a place where an attacker may be overwrite it. That is highly unlikely, but better safe than sorry.

Full Changelog: esapi-2.6.2.0...esapi-2.7.0.0

Configuration Jar

Note the associated file "esapi-2.7.0.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.7.0.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall. If you were using ESAPI's Encoder.encodeForSQL interface, you will want to use its updated ESAPI.properties file.

---

This discussion was created from the release esapi-2.7.0.0.

[kwwall]

Related: Discussion #890.

[kwwall]

ESAPI 2.7.0.0 now showing up in https://search.maven.org/search?q=ESAPI.
VulDB CNA team wrote that "We intend to sync and disclose the CVE in the next 48 hours" and that was written at 3:27AM EDT on 2025-06-28, so it should be soon.

[kwwall]

Important Update

My bad. I forgot to correct the joke that I originally perpetrated on my colleagues doing a code review(to see if they were paying attention). Instead, it backfired when I accidentally ended up using the phony property name. Apparently, I had only remembered to correct the first new property, but not the second new one in configuration/esapi/ESAPI.properties.

To see what I am referring to, see commit ID #a035387. It's actually mostly harmless as it would have the justification reason always be logged as "Justification: none". So I had to update the attached configuration jar, esapi-2.7.0.0-configuration.jar, and the detached GPG signature file, esapi-2.7.0.0-configuration.jar.asc.

I apologize for the inconvenience, but as I explained to my ESAPI developer colleagues, I did NOT do this intentionally. (Did I find it amusing? Sure. But, would I have intentionally cause the ESAPI user community to do addition work? To that I would answer a resounding 'NO'!

Anyway, the bottom line is, if you have already downloaded the 2.7.0.0 configuration jar, you either need to download it again or manually fix it as per the referenced commit ID above.