apache/storm
Apache Storm
reiabreu·1w ago·May 18, 2026✨ 🚀 New Features
- Update 2.x documentation links to javadoc.io, fix Jekyll rendering, and optimize CI matrix by @rzo1 in https://github.com/apache/storm/pull/8595
🐛 🐛 Bug Fixes
- STORM-4041: fix(topology_lag): Kafka Topology Lag breaking when no offsets are committed (Backport #8589) by @reiabreu in https://github.com/apache/storm/pull/8591
📦 📦 Dependency Upgrades
- Bump actions/setup-node from 6.3.0 to 6.4.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8534
- Bump postcss from 8.5.8 to 8.5.10 in /storm-webapp by @dependabot[bot] in https://github.com/apache/storm/pull/8536
- Bump org.glassfish.jersey:jersey-bom from 3.1.11 to 4.0.2 by @dependabot[bot] in https://github.com/apache/storm/pull/8632
- Bump org.apache.maven:maven-resolver-provider from 3.9.14 to 3.9.15 by @dependabot[bot] in https://github.com/apache/storm/pull/8631
- Bump netty-tcnative.version from 2.0.75.Final to 2.0.77.Final by @dependabot[bot] in https://github.com/apache/storm/pull/8628
- Bump com.github.ben-manes.caffeine:caffeine from 3.2.3 to 3.2.4 by @dependabot[bot] in https://github.com/apache/storm/pull/8624
- Bump jetty.version from 12.1.8 to 12.1.9 by @dependabot[bot] in https://github.com/apache/storm/pull/8622
- Bump datatables.net-bs5 from 2.3.7 to 2.3.8 in /storm-webapp by @dependabot[bot] in https://github.com/apache/storm/pull/8621
- + 24 more
reiabreu·1mo ago·April 19, 2026🐛 ⚠️ Security Fixes
- CVE-2026-40557: JVM-wide TLS Security Downgrade in Prometheus Reporter
- Versions Affected: 2.6.3 to 2.8.6.
- Technical Description: Enabling the `skip_tls_validation` configuration in the Prometheus Reporter caused an improper certificate validation that replaced the default SSL context. This resulted in a JVM-wide TLS security downgrade, affecting all components within the same process.
- Fix: The reporter now uses a scoped SSL context for validation bypass, ensuring the default JVM SSL context remains secure.
- CVE-2026-41081: Improper Handling of TLS Client Authentication Failures
- Versions Affected: All versions before 2.8.7.
- Technical Description: When TLS client authentication was enabled, failed authentication attempts were incorrectly assigned a fallback "ANONYMOUS" principal. This allowed unauthorized users to potentially bypass authorization checks that relied on the presence of a principal.
- Fix: Connections are now strictly rejected if TLS client authentication fails or is missing when required.
- + 1 more
🐛 🐛 Bug Fixes
- [#8518] - Cache busting is broken - `${packageTimestamp}` is never substituted in HTML resources.
- [#8516] - Hardening: clean up TlsTransportPlugin and surface unverified peers.
- [#8515] - Profiling/debugging REST endpoints should use POST instead of GET.
- [#8533] - flux: fix 'recieveed' -> 'received' in LogInfoBolt Javadoc.
- [#8532] - storm-client: fix 'accross' -> 'across' in Stream.java Javadoc.
- [#8531] - storm-core: fix 'seperate' -> 'separate' in configuration.h comment.
- [#8530] - docs: fix 'occured' -> 'occurred' in LocallyCachedBlob Javadoc.
- [#8529] - docs: fix 'recieved' -> 'received' in IAutoCredentials Javadoc.
- + 1 more
📦 📦 Dependency Upgrades
- | Dependency | From | To | PR |
- | :--- | :--- | :--- | :--- |
- | com.google.guava:guava | 33.5.0-jre | 33.6.0-jre | [#8526] |
- | org.apache.commons:commons-configuration2 | 2.13.0 | 2.14.0 | [#8525] |
- | org.bouncycastle (bouncycastle.version) | 1.83 | 1.84 | [#8524] |
- | org.rocksdb:rocksdbjni | 10.10.1 | 10.10.1.1 | [#8523] |
- | org.jgrapht:jgrapht-core | 0.9.0 | 1.5.3 | [#8522] |
- | org.apache.hbase:hbase-client | 2.6.4-hadoop3 | 2.6.5-hadoop3 | [#8520] |
- + 7 more
📦 📝 Contributors
- Thank you to everyone who contributed to this release.
rzo1·1mo ago·April 7, 2026<html><head></head><body> <p>This release includes two security fixes, enhancements, bug fixes, and a large number of dependency upgrades. Users of previous versions are strongly encouraged to upgrade.</p> <hr> <h2>⚠️ Security Fixes</h2> <h3><a href="https://www.cve.org/CVERecord?id=CVE-2026-35337">CVE-2026-35337</a> — Deserialization of Untrusted Data in Apache Storm</h3> <p><strong>Versions affected:</strong> < 2.8.6</p> <p>When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using <code>ObjectInputStream.readObject()</code> without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the <code>"TGT"</code> credential field, leading to <strong>remote code execution</strong> in both the Nimbus and Worker JVMs.</p> <p><strong>Fix:</strong> Upgrade to 2.8.6. If you cannot upgrade immediately, monkey-patch an <code>ObjectInputFilter</code> allow-list to <code>ClientAuthUtils.deserializeKerberosTicket()</code> restricting deserialized classes to <code>javax.security.auth.kerberos.KerberosTicket</code> and its known dependencies. See the full mitigation instructions in the <a href="https://storm.apache.org/">release notes</a>.</p> <p><strong>Credit:</strong> Discovered by K.</p> <hr> <h3><a href="https://www.cve.org/CVERecord?id=CVE-2026-35565">CVE-2026-35565</a> — Stored XSS via Unsanitized Topology Metadata in Storm UI</h3> <p><strong>Versions affected:</strong> < 2.8.6</p> <p>The Storm UI visualization component interpolates topology metadata (component IDs, stream names, grouping values) directly into HTML via <code>innerHTML</code> in <code>parseNode()</code> and <code>parseEdge()</code> without sanitization. An authenticated user with topology submission rights could craft a topology with malicious HTML/JavaScript in component identifiers, resulting in <strong>stored cross-site scripting</strong>. In multi-tenant deployments this enables privilege escalation through script execution in an admin's browser session.</p> <p><strong>Fix:</strong> Upgrade to 2.8.6. If you cannot upgrade immediately, patch <code>storm-webapp/src/main/webapp/js/visualization.js</code> to escape output in <code>parseNode()</code> and <code>parseEdge()</code>. See the full mitigation instructions in the <a href="https://storm.apache.org/">release notes</a>.</p> <p><strong>Credit:</strong> Discovered while investigating another report by K.</p> <hr> <h2>🚀 Enhancements</h2> <ul> <li><a href="https://github.com/apache/storm/pull/8483">#8483</a> — Migrate to Java 24+ compatible security APIs and add Java 25 to CI</li> <li><a href="https://github.com/apache/storm/pull/8452">#8452</a> — Pass Conf object to KryoDecorator</li> <li><a href="https://github.com/apache/storm/issues/8305">#8305</a> — Improve <code>dev-tools/release_notes.py</code> to handle multiple tags per issue</li> </ul> <hr> <h2>🐛 Bug Fixes</h2> <ul> <li><a href="https://github.com/apache/storm/issues/8456">#8456</a> / <a href="https://github.com/apache/storm/pull/8457">#8457</a> — Fix scientific notation display for large numbers in Storm UI table</li> <li><a href="https://github.com/apache/storm/pull/8442">#8442</a> — Fix NPE in <code>getSupervisorPageInfo</code> for unknown hostnames</li> <li><a href="https://github.com/apache/storm/pull/8441">#8441</a> — Fix NPE in <code>mkAssignments</code> when assignment is deleted during scheduling</li> <li><a href="https://github.com/apache/storm/pull/8440">#8440</a> — Fix corrupted record counter in <code>SequenceFileReader.Offset.increment()</code></li> </ul> <hr> <h2>📦 Dependency Upgrades</h2> Dependency | From | To -- | -- | -- io.netty:netty-bom | 4.2.10.Final | 4.2.12.Final hadoop.version | 3.4.3 | 3.5.0 org.rocksdb:rocksdbjni | 10.2.1 | 10.10.1 activemq.version | 6.2.1 | 6.2.3 spring.version | 7.0.5 | 7.0.6 jetty.version | 12.1.6 | 12.1.8 com.fasterxml.jackson:jackson-bom | 2.21.1 | 2.21.2 com.fasterxml.jackson.core:jackson-databind | 2.21.1 | 2.21.2 storm.kafka.client.version | 4.1.1 | 4.2.0 redis.clients:jedis | 7.3.0 | 7.4.1 byte-buddy.version | 1.18.5 | 1.18.8 org.apache.logging.log4j:log4j-bom | 2.25.3 | 2.25.4 prometheus.client.version | 1.5.0 | 1.5.1 org.checkerframework:checker-qual | 3.53.1 | 3.54.0 com.google.errorprone:error_prone_annotations | 2.48.0 | 2.49.0 netty-tcnative.version | 2.0.74.Final | 2.0.75.Final commons-logging:commons-logging | 1.3.5 | 1.3.6 joda-time:joda-time | 2.14.0 | 2.14.1 org.apache.maven:maven-resolver-provider | 3.9.12 | 3.9.14 org.apache.maven.plugins:maven-shade-plugin | 3.6.1 | 3.6.2 com.github.eirslett:frontend-maven-plugin | 1.15.1 | 2.0.0 cytoscape (storm-webapp) | 3.33.1 | 3.33.2 lodash (storm-webapp) | 4.17.23 | 4.18.1 webpack-cli (storm-webapp) | 7.0.0 | 7.0.2 cypress (storm-webapp) | 15.12.0 | 15.13.0 mini-css-extract-plugin (storm-webapp) | 2.10.1 | 2.10.2 start-server-and-test (storm-webapp) | 2.1.5 | 3.0.0 serialize-javascript (storm-webapp) | 7.0.4 | 7.0.5 picomatch (storm-webapp) | 4.0.3 | 4.0.4 actions/upload-artifact | 4.6.2 | 7.0.0 actions/setup-node | 4.4.0 | 6.3.0 actions/download-artifact | 4.3.0 | 8.0.1 ruby/setup-ruby | 1.295.0 | 1.298.0
reiabreu·2mo ago·March 25, 2026📋 What's Changed
- Bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.1 to 3.15.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8410
- Bump org.apache.maven.plugins:maven-dependency-plugin from 3.9.0 to 3.10.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8408
- Bump org.junit:junit-bom from 6.0.2 to 6.0.3 by @dependabot[bot] in https://github.com/apache/storm/pull/8402
- Bump org.apache.maven.plugins:maven-surefire-report-plugin from 3.5.4 to 3.5.5 by @dependabot[bot] in https://github.com/apache/storm/pull/8394
- Bump byte-buddy.version from 1.18.4 to 1.18.5 by @dependabot[bot] in https://github.com/apache/storm/pull/8395
- Bump org.checkerframework:checker-qual from 3.53.0 to 3.53.1 by @dependabot[bot] in https://github.com/apache/storm/pull/8406
- [storm-client] Replace e.printStackTrace() with SLF4J logging in ConfigurableTopology by @Ironankit525 in https://github.com/apache/storm/pull/8413
- [storm-client] Add missing logging to TridentBoltExecutor on tuple count mismatch failures by @Ironankit525 in https://github.com/apache/storm/pull/8414
- + 29 more
✨ New Contributors
- @Ironankit525 made their first contribution in https://github.com/apache/storm/pull/8413
- Full Changelog: https://github.com/apache/storm/compare/v2.8.4...v2.8.5
rzo1·3mo ago·March 2, 2026📋 What's Changed
- Bump ruby/setup-ruby from 1.265.0 to 1.267.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8296
- Bump org.apache.xbean:xbean-spring from 4.27 to 4.28 by @dependabot[bot] in https://github.com/apache/storm/pull/8294
- Bump com.google.errorprone:error_prone_annotations from 2.42.0 to 2.43.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8292
- Bump activemq.version from 6.1.7 to 6.1.8 by @dependabot[bot] in https://github.com/apache/storm/pull/8291
- Bump org.junit:junit-bom from 6.0.0 to 6.0.1 by @dependabot[bot] in https://github.com/apache/storm/pull/8301
- Bump prometheus.client.version from 1.4.1 to 1.4.2 by @dependabot[bot] in https://github.com/apache/storm/pull/8297
- Bump org.checkerframework:checker-qual from 3.51.1 to 3.52.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8304
- Bump commons-codec:commons-codec from 1.19.0 to 1.20.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8303
- + 85 more
✨ New Contributors
- @haosenwang1018 made their first contribution in https://github.com/apache/storm/pull/8392
- Full Changelog: https://github.com/apache/storm/compare/v2.8.3...v2.8.4
reiabreu·7mo ago·November 2, 2025📋 What's Changed
- Bump curator.version from 5.8.0 to 5.9.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8202
- Drop storm-sql-* modules by @rzo1 in https://github.com/apache/storm/pull/8174
- Update Java dependencies to latest versions by @rzo1 in https://github.com/apache/storm/pull/8215
- Bump commons-codec:commons-codec from 1.18.0 to 1.19.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8199
- Bump com.google.errorprone:error_prone_annotations from 2.40.0 to 2.41.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8200
- Bump org.apache.commons:commons-text from 1.13.1 to 1.14.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8201
- Bump dropwizard.version from 4.0.14 to 4.0.15 by @dependabot[bot] in https://github.com/apache/storm/pull/8203
- Bump net.minidev:json-smart from 2.5.2 to 2.6.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8207
- + 75 more
reiabreu·10mo ago·August 3, 2025📋 What's Changed
- Bump org.codehaus.mojo:exec-maven-plugin from 3.5.0 to 3.5.1 by @dependabot[bot] in https://github.com/apache/storm/pull/8094
- Bump testcontainers.version from 1.21.0 to 1.21.1 by @dependabot[bot] in https://github.com/apache/storm/pull/8093
- Bump org.junit:junit-bom from 5.12.2 to 5.13.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8092
- Bump org.apache.maven.plugins:maven-clean-plugin from 3.4.1 to 3.5.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8090
- Bump com.fasterxml.woodstox:woodstox-core from 7.1.0 to 7.1.1 by @dependabot[bot] in https://github.com/apache/storm/pull/8091
- Bump org.apache.commons:commons-exec from 1.4.0 to 1.5.0 by @dependabot[bot] in https://github.com/apache/storm/pull/8087
- Bump dropwizard.version from 4.0.13 to 4.0.14 by @dependabot[bot] in https://github.com/apache/storm/pull/8086
- Bump prometheus.client.version from 1.3.7 to 1.3.8 by @dependabot[bot] in https://github.com/apache/storm/pull/8088
- + 34 more
reiabreu·12mo ago·June 3, 2025📋 What's Changed
- Update Release Note Generation and Docs by @rzo1 in https://github.com/apache/storm/pull/7936
- Bump byte-buddy.version from 1.15.11 to 1.16.1 by @dependabot in https://github.com/apache/storm/pull/3842
- Dependency updates by @rzo1 in https://github.com/apache/storm/pull/7946
- #7951 - Bump commons-codec:commons-codec from 1.17.2 to 1.18.0 by @dependabot in https://github.com/apache/storm/pull/7948
- #7953 - Bump byte-buddy.version from 1.16.1 to 1.17.0 by @dependabot in https://github.com/apache/storm/pull/7949
- Fix ShellBolt log level by @mstrucken in https://github.com/apache/storm/pull/7955
- Bump org.testng:testng from 7.10.2 to 7.11.0 by @dependabot in https://github.com/apache/storm/pull/7965
- IWorkerHook: remove erroneous recursive call by @reiabreu in https://github.com/apache/storm/pull/7958
- + 28 more
✨ New Contributors
- @mstrucken made their first contribution in https://github.com/apache/storm/pull/7955
- Full Changelog: https://github.com/apache/storm/compare/v2.8.0...v2.8.1
rzo1·1y ago·January 24, 2025📋 What's Changed
- Bump org.codehaus.mojo:license-maven-plugin from 2.4.0 to 2.5.0 by @dependabot in https://github.com/apache/storm/pull/3804
- Bump testcontainers.version from 1.20.3 to 1.20.4 by @dependabot in https://github.com/apache/storm/pull/3796
- STORM-4131: Update log4j2 to a non-borked version by @tballison in https://github.com/apache/storm/pull/3807
- STORM-4133 - Raise Minimum JRE Level to 17 by @rzo1 in https://github.com/apache/storm/pull/3817
- STORM-4132 - Remove "storm-hive" by @rzo1 in https://github.com/apache/storm/pull/3816
- STORM-4134 - Bump org.apache.logging.log4j:log4j-bom from 2.24.2 to 2.24.3 by @dependabot in https://github.com/apache/storm/pull/3813
- Several Dependency Updates by @rzo1 in https://github.com/apache/storm/pull/3818
- Bump org.junit:junit-bom from 5.11.3 to 5.11.4 by @dependabot in https://github.com/apache/storm/pull/3822
- + 14 more
✨ New Contributors
- @tballison made their first contribution in https://github.com/apache/storm/pull/3807
- @MaheshAravindV made their first contribution in https://github.com/apache/storm/pull/3824
- @DiogoP98 made their first contribution in https://github.com/apache/storm/pull/3833
- Full Changelog: https://github.com/apache/storm/compare/v2.7.1...v2.8.0
rzo1·1y ago·January 9, 2025📋 What's Changed
- Updating release notes by @reiabreu in https://github.com/apache/storm/pull/3706
- Bump org.apache.maven.plugins:maven-pmd-plugin from 3.23.0 to 3.26.0 by @dependabot in https://github.com/apache/storm/pull/3708
- Bump org.apache.maven.plugins:maven-surefire-report-plugin from 3.5.0 to 3.5.2 by @dependabot in https://github.com/apache/storm/pull/3736
- Bump org.jacoco:jacoco-maven-plugin from 0.7.2.201409121644 to 0.8.12 by @dependabot in https://github.com/apache/storm/pull/3735
- Bump org.apache.maven.plugins:maven-jxr-plugin from 3.2.0 to 3.6.0 by @dependabot in https://github.com/apache/storm/pull/3737
- Bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.0.0 to 3.6.0 by @dependabot in https://github.com/apache/storm/pull/3727
- Bump org.codehaus.mojo:exec-maven-plugin from 3.3.0 to 3.5.0 by @dependabot in https://github.com/apache/storm/pull/3711
- Bump org.apache.maven.plugins:maven-javadoc-plugin from 2.10.4 to 3.11.1 by @dependabot in https://github.com/apache/storm/pull/3726
- + 27 more
rzo1·1y ago·January 9, 2025📋 What's Changed
- STORM-4055 Kafka Consumer ConcurrentModificationException fix by @anand-h-codes in https://github.com/apache/storm/pull/3691
- STORM-4076 KafkaTridentSpoutEmitters can poll all partitions at once instead of one at a time by @anand-h-codes in https://github.com/apache/storm/pull/3679
- STORM-4081 - Bump metrics.version from 4.2.26 to 4.2.27 by @dependabot in https://github.com/apache/storm/pull/3689
- STORM-4082 - Bump prometheus.client.version from 1.3.0 to 1.3.1 by @dependabot in https://github.com/apache/storm/pull/3687
- STORM-4083 - Bump jetty.version from 11.0.21 to 11.0.23 by @dependabot in https://github.com/apache/storm/pull/3688
- STORM-4084 - Bump org.apache.commons:commons-compress from 1.26.0 to 1.27.1 by @dependabot in https://github.com/apache/storm/pull/3686
- STORM-4075 Supprt mTLS between Storm and ZK by @purushah in https://github.com/apache/storm/pull/3692
- Bump org.apache.maven.plugins:maven-surefire-report-plugin from 3.4.0 to 3.5.0 by @dependabot in https://github.com/apache/storm/pull/3696
- + 5 more
✨ New Contributors
- @anand-h-codes made their first contribution in https://github.com/apache/storm/pull/3691
- @paxadax made their first contribution in https://github.com/apache/storm/pull/3697
- Full Changelog: https://github.com/apache/storm/compare/v2.6.4...v2.7.0