Community Edition Release Notes
These release notes list any new features, enhancements, fixes and breaking changes that were made for Hazelcast Platform Community Edition.
| Hazelcast Platform Community Edition is available in major and minor releases only (e.g. x.0, x.1, x.2, etc.). From release 5.4, patch releases are only available for Enterprise Edition i.e. no patch releases (e.g. x.1.1, x.2.3) will be made available for Community Edition. |
For help downloading Hazelcast Community Edition, see Installing Hazelcast Community Edition.
5.6.0
Release date:
Security
The following table shows an overview of CVEs fixed in this Hazelcast Platform release compared to Community Edition 5.5.0:
| Severity | CVEs fixed in 5.6.0 |
|---|---|
Critical |
4 |
High |
2 |
Medium |
1 |
Low |
0 |
CVEs and security issues (originally fixed in Enterprise Edition 5.5.7, released 2025-07-22):
-
Security Fix for CVE-2025-30065 – Remote code execution via parquet-avro in hazelcast-sql module: Resolved CVE-2025-30065, a critical vulnerability in the
org.apache.parquet:parquet-avro:1.14.1transitive dependency used by the hazelcast-sql module. The issue allows remote code execution via malicious Avro schema deserialization when reading Avro-encoded Parquet files.
CVEs and security issues (originally fixed in Enterprise Edition 5.5.6, released 2025-05-19):
-
Updated exception handling for non-existent JAAS classes: Resolved an issue where specifying a non-existent class for JAAS configuration did not result in an appropriate exception being logged. Previously, this caused a lack of visibility into configuration errors, making it harder to diagnose issues. The fix ensures that when a non-existent class is specified for JAAS, an
InvalidConfigurationExceptionis properly logged in the server logs, replacing the incorrect reference toClassNotFoundException. -
Security Fix for CVE-2025-31651 - Improper neutralization of escape, meta, or control sequences vulnerability in Apache Tomcat: We have resolved CVE-2025-31651, a critical vulnerability in Apache Tomcat where for a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules.
-
Security Fix for CVE-2025-24813 - Remote code execution and/or information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat: We have resolved CVE-2025-24813, a critical vulnerability in Apache Tomcat where in some circumstances a malicious user was able to view security sensitive files and/or inject content into those files.
-
Security Fix for CVE-2025-31650 - Improper input validation vulnerability in Apache Tomcat: We have resolved CVE-2025-31650, a high vulnerability in Apache Tomcat where incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak.
-
Security Fix for CVE-2024-38286 - Allocation of resources without limits or throttling vulnerability in Apache Tomcat: We have resolved CVE-2024-38286, a high vulnerability in Apache Tomcat where under certain configurations on any platform, it allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
CVEs and security issues (originally fixed in Enterprise Edition 5.5.5, released 2025-03-19):
-
Security Fix for CVE-2024-47561: We have resolved CVE-2024-47561, a critical vulnerability in the Apache Avro Java SDK (versions 1.11.3 and earlier) that allowed attackers to execute arbitrary code through maliciously crafted Avro schemas.
CVEs and security issues (originally fixed in Enterprise Edition 5.5.3, released 2024-10-17):
-
Security Fix for CVE-2023-45676: We have resolved CVE-2023-45676, a dependency vulnerability related to improper authorization checks in certain scenarios. This issue could potentially allow attackers to bypass expected permission restrictions.
