Full Release Notes
Release notes for ESAPI release 2.7.00 are located at:
What's Changed
- This is a major patch release with the primary intent of addressing CVE-2025-5878, the details of which are spelled out in Security Bulletin #13.
- Major Javadoc enhancements, corrections, and clarifications.
- Deprecated methods, interfaces, and classes.
- The reference implementation for the
Encoder.encodeForSQLinterface is now disabled by default and must be explicitly enabled if you absolutely much use it. (WARNING: You shouldn't!) Instructions on how to enable it are provided in Appendix B of Security Bulletin #13. You will find the updated ESAPI.properties file in the configuration jar helpful.
- This release also updates Apache Commons FileUploads to 1.6.0 to address CVE-2025-48976. That CVE likely does not affect the
HTTP.getFileUloadsinterfaces (which is the only methods that use that library), but we have not had time to analyze it fully given the CVE cited against ESAPI. - Apache Commons BeanUtils was also updated to 1.11.0 to address CVE-2025-48734 which potentially could anyone using ESAPI's AccessController and has placed their access control policy in a place where an attacker may be overwrite it. That is highly unlikely, but better safe than sorry.
Full Changelog: esapi-2.6.2.0...esapi-2.7.0.0
Configuration Jar
Note the associated file "esapi-2.7.0.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.7.0.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall. If you were using ESAPI's Encoder.encodeForSQL interface, you will want to use its updated ESAPI.properties file.