Jahia 8.1.9 Release Notes
What's new?
Jahia 8.1.9 is a maintenance release primarily addressing security-related issues detailed in September security patch page.
Adopting this release is expected to be simple for environments already running Jahia 8.1.8.
Breaking changes
This release includes changes that could be considered breaking, depending on your environment.
Apache Portlet removal
Deprecated since Jahia 8.0, the portlet functionality has been removed in Jahia 8.1.9.0.
Following investigations, it was discovered that this deprecated feature could expose Jahia to security vulnerabilities, decision was made to remove it.
Note that portlets were already removed from Jahia 8.2.0.0+ released in 2024
Stricter file upload validations
This release introduces stricter file upload checks configurable via the property jahiaSecuredFileUpload in the jahia.properties file.
In Jahia 8.1.9.0, this property is set to true by default. Make sure to review the documentation available in the jahia.properties file to determine if and how you are impacted. This documentation is also accessible here.
Snakeyaml upgrade
To address the CVE-2025-52999 vulnerability in jackson-core, it was necessary to upgrade snakeyaml from 1.33 to 2.4.
To determine whether you are impacted, start by reviewing your codebase to check if you are currently using the snakeyaml bundle exposed by Jahia.
- If you are not importing snakeyaml, then you are not impacted
- If you are using snakeyaml, review the breaking changes in snakeyaml 2.x. You can do so by analyzing this file and searching for actions of type "remove". Removals between v1.33 and v2.4 are:
- v2.4 - Remove external Base64Coder and use provided Base64 (thanks to MithunKhanna) - Commit
- v2.3 - Remove unused BUFFER_SIZE (thanks to Róbert Papp (TWiStErRob)) - Issue, Commit
- v2.1 - Remove Trusted*Inspector classes from main sources tree - Commit
- v2.0 - Remove many deprecated constructors - Commit
- v2.0 - Remove long deprecated methods in FlowStyle - Commit
CSRF protection in /modules/api/bundles
In this release, we removed the ability for /modules/api/bundles to rely on sessions for authentication, which typically means that it will not be possible to call this endpoint from Web UIs.
We expect this use case to be extremely rare (if not inexistent) since this endpoint was primariraly created to support Jahia orchestration use cases, which are unaffected by this change. This endpoint is still reachable via other Jahia authentication mechanism (token, basic auth).
Updated modules and libraries in 8.1.9
Library upgrades
The following librairies were updated between Jahia 8.1.8.3 and Jahia 8.1.9.0
| Library | Jahia 8.1.8.3 | Jahia 8.1.9.0 |
|---|---|---|
| Apache Commons Beanutils | 1.9.4 | 1.11.0 |
| Apache Commons FileUpload | 1.3.3 | 1.5 |
| Apache Tomcat | 9.0.104 | 9.0.107 |
| Graphql-java | 13.0 | 13.0.jahia1 |
| Jackson Core | 2.15.2 | 2.19.0 |
| snakeyaml | 1.33 | 2.4 |
Updated modules
The following modules were updated between Jahia 8.1.8.3 and Jahia 8.1.9.0
| Module | Jahia 8.1.8.3 | Jahia 8.1.9.0 |
|---|---|---|
| Server Settings | 9.7.2 | 9.7.4 |
Jahia 8.1.8.3 >> 8.1.9.0 - Changelog
8.1.9.0
Security
- Introduced a stricter mechanism to validate file uploads, configurable using the
jahiaSecuredFileUploadproperty. This configuration is true by default. Please see the "Breaking Changes" section of this document.
Modules included in the upgrade - Changelog
ServerSettings (9.7.4)
- Removed portlets (deprecated in Jahia 8.0.0.0)