Release Notes
v5.27.13 on the GitHub
Fixed Bugs
- Unpredictable order of AccessDeniedHandler.
Fixed Vulnerabilities:
- CVE-2025-5115 (Jetty)
- CVE-2025-55163 (Netty)
- CVE-2025-22227 (Reactor Netty)
Runtime Dependencies:
- Nimbus JOSE+JWT 10.4.2
- JSON Smart 2.6.0
- OpenTelemetry 2.19.0
- Jackson 2.20.0
- CXF 3.6.8
- gRPC 1.75.0
- Swagger Core 2.2.36
- Swagger Parser 2.1.33
- Jetty 10.0.26
- AWS S3 2.33.0
- Azure BLOB 12.31.2
- Netty 4.2.4.Final
- HikariCP 7.0.2
- Commons Codec 1.19.0
- Commons Compress 1.28.0
- Groovy 4.0.28
Test Dependencies:
- Byte Buddy 1.17.7
- JUnit 5.13.4
- Mockito 5.19.0
- Oracle JDBC 23.9.0.25.07
Maven Plugins:
Jakarta EE10 support
Fixed Vulnerabilities:
- CVE-2025-58057 (Netty)
- CVE-2025-58056 (Netty)
- CVE-2025-55163 (Netty)
- CVE-2025-22227 (Reactor Netty)
- CVE-2025-7962 (Angus)
- CVE-2025-5115 (Jetty)
- CVE-2025-22233 (Spring)
- CVE-2025-41234 (Spring)
- CVE-2025-41242 (Spring)
Runtime Dependencies:
- Richfaces 10.0.0-openl
- Spring Framework 6.2.10
- Spring Boot 3.5.9
- Spring Integration 6.5.1
- Spring Security 6.5.3
- Kafka 4.1.0
- Snappy Java 1.1.10.8
- CXF 4.1.3
- Jetty 12.0.25
- AWS S3 2.33.3
- Netty 4.2.5.Final
- Hibernate ORM 6.6.28.Final
- Hibernate Validator 8.0.3.Final
- Jakarta Mail API 2.1.4
- Argus Mail 2.0.4
- Green Mail 2.1.5
- JCodeModel 4.0.0
Migration Notes
The release notes of the Jackson Databinding declares:
#4136: Drop deprecated (in 2.12) PropertyNamingStrategy implementations from 2.20
According to the deprecation notes in the Jackson Databinding it needs to use PropertyNamingStrategies instead of PropertyNamingStrategy
See also #2715
