5.5.7 Release Notes

Security Fix for CVE-2025-30065 – Remote code execution via parquet-avro in hazelcast-sql module: Resolved CVE-2025-30065, a critical vulnerability in the org.apache.parquet:parquet-avro:1.14.1 transitive dependency used by the hazelcast-sql module. The issue allows remote code execution via malicious Avro schema deserialization when reading Avro-encoded Parquet files.

Fixed poor near cache invalidation performance under high client load: Resolved an issue where operation latency increased steadily with large client counts and near cache enabled. The root cause was that all invalidation events were scheduled on a single event thread, leading to an overloaded queue. This fix distributes invalidation events across the event thread pool. As a result, load is balanced more effectively, significantly improving performance and scalability under heavy client workloads.

Fixed NullPointerException during Continuous Query Cache event serialization under load: Resolved an issue where Continuous Query Cache (CQC) events were frequently lost under high load due to internal NullPointerException during event serialization. The root cause was a missing null check in the event encoding logic, leading to failures in dispatching CQC updates and resulting in stale cache data. The fix adds proper null handling to ensure reliable event delivery even in large, high-throughput clusters.

Fixed misleading XML parsing error when loading YAML configuration: Resolved an issue where Hazelcast 5.5.2 logged a misleading XML parsing error (Content is not allowed in prolog) when started with a valid YAML configuration file. This occurred because the system attempted to parse the configuration as XML before falling back to YAML, resulting in an error message even though the configuration was successfully loaded. The fix ensures that the configuration format is determined before parsing, preventing unnecessary and confusing log entries during startup when using YAML files.