Sourced from org.owasp.esapi:esapi's releases.

esapi-2.7.0.0

Full Release Notes

Release notes for ESAPI release 2.7.00 are located at:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.7.0.0-release-notes.txt

What's Changed

• This is a major patch release with the primary intent of addressing CVE-2025-5878, the details of which are spelled out in [Security Bulletin #13](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf).
  • Major Javadoc enhancements, corrections, and clarifications.
  • Deprecated methods, interfaces, and classes.
  • The reference implementation for the Encoder.encodeForSQL interface is now disabled by default and must be explicitly enabled if you absolutely much use it. (WARNING: You shouldn't!) Instructions on how to enable it are provided in Appendix B of [Security Bulletin #13](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf). You will find the updated ESAPI.properties file in the configuration jar helpful.

• This release also updates Apache Commons FileUploads to 1.6.0 to address CVE-2025-48976. That CVE likely does not affect the HTTP.getFileUloads interfaces (which is the only methods that use that library), but we have not had time to analyze it fully given the CVE cited against ESAPI.
• Apache Commons BeanUtils was also updated to 1.11.0 to address CVE-2025-48734 which potentially could anyone using ESAPI's AccessController and has placed their access control policy in a place where an attacker may be overwrite it. That is highly unlikely, but better safe than sorry.

Full Changelog: https://github.com/ESAPI/esapi-java-legacy/compare/esapi-2.6.2.0...esapi-2.7.0.0

Configuration Jar

Note the associated file "esapi-2.7.0.0-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.7.0.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall. If you were using ESAPI's Encoder.encodeForSQL interface, you will want to use its updated ESAPI.properties file.

• 0fa4c0f Remove '-SNAPSHOT' from release # to prep official release.
• f75ac2c Merging Private Branch contents from Kevin's Repo. (#888)
• e232291 Merge pull request #886 from kwwall/develop
• 23a2b76 Added Javadoc to encodeForSQL method regarding how to enabled it.
• 0129740 Added 2 new field names whose values are the 2 new property names.
• eb425bb New property file for testing DefaultEncoder.encodeForSQL when it's
• 844eb0c Add missing newline.
• a10e323 hanged the tongue-in-cheek property names to the actual ones we are using.
• 06d0ff2 Changed the tongue-in-cheek property names to the actual ones we are using.
• 61de71f Changed the tongue-in-cheek propert names to the actual ones we are using.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)