Full Release Notes

Release notes for ESAPI release 2.7.00 are located at:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.7.0.0-release-notes.txt

What's Changed

• This is a major patch release with the primary intent of addressing CVE-2025-5878, the details of which are spelled out in Security Bulletin #13.
  • Major Javadoc enhancements, corrections, and clarifications.
  • Deprecated methods, interfaces, and classes.
  • The reference implementation for the Encoder.encodeForSQL interface is now disabled by default and must be explicitly enabled if you absolutely much use it. (WARNING: You shouldn't!) Instructions on how to enable it are provided in Appendix B of Security Bulletin #13. You will find the updated ESAPI.properties file in the configuration jar helpful.

• This release also updates Apache Commons FileUploads to 1.6.0 to address CVE-2025-48976. That CVE likely does not affect the HTTP.getFileUloads interfaces (which is the only methods that use that library), but we have not had time to analyze it fully given the CVE cited against ESAPI.
• Apache Commons BeanUtils was also updated to 1.11.0 to address CVE-2025-48734 which potentially could anyone using ESAPI's AccessController and has placed their access control policy in a place where an attacker may be overwrite it. That is highly unlikely, but better safe than sorry.

Full Changelog: esapi-2.6.2.0...esapi-2.7.0.0

Configuration Jar

Note the associated file "esapi-2.7.0.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.7.0.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall. If you were using ESAPI's Encoder.encodeForSQL interface, you will want to use its updated ESAPI.properties file.