5.8.0 Release notes

Console support: If you are experiencing any issues using the Command Line Client (CLC) in Management Center, there is a new option to switch from the CLC-based console to the original console. You can enable this by setting the environment variable HAZELCAST_MC_ORIGINAL_CONSOLE_ENABLED to true.

Security Fix for CVE-2024-47554 – Uncontrolled resource consumption vulnerability in Apache Commons IO: We have resolved CVE-2024-47554, a high-severity vulnerability in Apache Commons IO where the XmlStreamReader class could excessively consume CPU resources when processing maliciously crafted input. This issue affected versions 2.0 up to but not including 2.14.0. The vulnerability has been mitigated by upgrading to a version that includes Apache Commons IO 2.14.0 or later.

Security Fix for CVE-2025-22235 – Improper input validation vulnerability in Spring Boot: We have resolved CVE-2025-22235, a medium-severity vulnerability in Spring Boot where EndpointRequest.to() could create a matcher for null/** if the targeted actuator endpoint was disabled or not exposed. This misconfiguration could unintentionally leave the /null path unprotected if it was handled by the application and expected to be secured. The issue has been addressed by upgrading to Spring Boot version 3.4.5.

Security Fix for CVE-2025-22228 – Authentication bypass vulnerability in Spring Security Crypto: We have resolved CVE-2025-22228, a high-severity vulnerability in Spring Security’s BCryptPasswordEncoder where the matches() function would incorrectly return true for passwords longer than 72 characters, provided the first 72 characters matched. This flaw could allow attackers to bypass authentication checks by exploiting password truncation. The vulnerability has been mitigated by upgrading to spring-security-crypto version 6.4.5.

Changes to Prometheus Exporter metrics v2 (BETA): The following changes have been implemented to Prometheus Exporter metrics v2, which are currently in BETA: