EximeeBPMS 1.1.0 Release Notes

Edition: Community  |  Release date: 19.10.2025

Patch releases: 1.1.1 (24.10.2025) — security fixes  |  1.1.2 (25.10.2025) — dependency path fix


Highlights

  • WildFly 27 application server support
  • EximeeBPMS Monitor metrics available from eximeebpms-run
  • JaCoCo test coverage and Sonar static analysis integration
  • Upstream engine synchronisation with Camunda 7 up to v7.24.0-alpha1
  • Broad dependency refresh including several high-severity security fixes

New Features

WildFly 27 Support

WildFly 27 is now a supported application server. A dedicated distribution is included, and integration tests run against WildFly 27 on CI. WildFly and Tomcat are excluded from the default Maven build profile; use -P full to include them.

Install — Full Distribution for JBoss/WildFly

EximeeBPMS Monitor Metrics

The eximeebpms-run standalone distribution now publishes engine metrics through EximeeBPMS Monitor. Job executor statistics, process instance counts, and task queue depths are available as Prometheus-compatible metrics out of the box.

Metrics

Snapshot Deployment to Sonatype

Snapshot artifacts are automatically deployed to Sonatype Central on every push to main, making it easier to test unreleased changes in downstream projects.


Bug Fixes

  • Fixed implicit narrowing conversion in compound assignment in engine code.
  • Fixed integration test and workflow configuration issues.
  • Fixed wrong namespace references (multiple iterations) in build descriptors.
  • Fixed snapshot deployment module list and authentication token handling.

Technical Updates

Build Configuration

  • JaCoCo plugin enabled by default. HTML and XML reports generated under target/site/jacoco/ after mvn verify.
  • SonarQube/SonarCloud analysis available via the sonar Maven profile.
  • WildFly and Tomcat excluded from default build; enabled via -P full.

Upstream Sync

  • Synchronised upstream Camunda 7 changes (June 2024 batch).
  • Synchronised upstream Camunda 7 changes up to v7.24.0-alpha1.

Dependency Updates

DependencyPreviousUpdated
Spring Boot3.4.43.5.5
Spring Framework6.2.46.2.10
Quarkus3.20.03.27.0
Tomcat 1010.1.3610.1.43
Tomcat 99.0.1009.0.107
WildFly35.0.0.Final37.0.0.Final
WildFly Core test framework27.0.0.Final29.0.0.Final
jersey-json1.151.19.4
Bouncy Castle1.471.70
Guava28.2-jre33.4.6-jre
json-smart2.5.02.5.2
Undertow Servlet2.3.0.Final2.3.18.Final
Apache HttpClient 55.4.15.5
Apache HttpComponents4.5.105.3.1
Gson2.8.92.12.1
OkHttp3.14.24.12.0
MyBatis3.5.153.5.19
Java UUID Generator4.3.05.1.0
FEEL Scala engine1.19.11.19.3
Joda-Time2.12.52.14.0
JUnit 44.13.14.13.2
XMLUnit Core2.6.22.10.1
OpenAPI Generator Maven Plugin4.2.37.12.0
Swagger Annotations1.5.221.6.14
Commons Lang 33.93.18.0
Jetty9.4.31.v202007239.4.57.v20241219
ShrinkWrap Resolvers2.2.22.2.7
Maven Javadoc Plugin3.3.13.11.2
Cargo Maven Plugin1.10.161.10.20
Build Helper Maven Plugin1.9.13.6.0
wsdl4j1.6.21.6.3

Resolved CVE Vulnerabilities

Critical

CVECVSSComponentDescriptionFixed In
CVE-2019-102029.8jackson-mapper-asl (bundled in jersey-json ≤1.15)“Unsafe deserialization enabling remote code execution via polymorphic type handling.” Fixed by upgrading jersey-json 1.15 → 1.19.4. Note: jackson-mapper-asl is an abandoned library with no upstream fix available; full remediation requires replacing Jersey JSON.1.1.0

High

CVECVSSComponentDescriptionFixed In
CVE-2019-101727.5jackson-mapper-asl (bundled in jersey-json ≤1.15)“XXE injection via XML parsing in the Jackson 1.x mapper.” Fixed by upgrading jersey-json 1.15 → 1.19.4.1.1.0
CVE-2024-576997.5net.minidev:json-smart ≤2.5.1“Stack exhaustion denial of service via deeply nested { characters in JSON input (incomplete fix of CVE-2023-1370).” Fixed in json-smart 2.5.2.1.1.0

Medium

CVECVSSComponentDescriptionFixed In
CVE-2025-412425.9spring-webmvc / spring-webflux ≤6.2.9“Path traversal on non-compliant Servlet containers.” Fixed in Spring Framework 6.2.10.1.1.0
CVE-2025-412346.5spring-web ≤6.2.7“Reflected File Download (RFD) via Content-Disposition filename derived from user input.” Fixed in Spring Framework 6.2.8.1.1.0

Low

CVECVSSComponentDescriptionFixed In
CVE-2020-89083.3com.google.guava:guava ≤31.xFiles.createTempDir() creates world-readable (0755) temporary directories, enabling local information disclosure.” Fixed by upgrading Guava to 33.x.1.1.0

1.1.1

Edition: Community  |  Release date: 24.10.2025

Highlights

Security-only patch. Fixes four high-severity CVEs in Spring Framework, Spring Security, and Apache Commons FileUpload.

Technical Updates

Dependency Updates

DependencyPreviousUpdated
Spring Boot3.5.53.5.6
Spring Framework6.2.106.2.11
commons-fileupload1.51.6.0
Liquibase4.8.05.0.1
REST Assured4.5.05.5.6
Quarkus3.27.03.28.4
simple-jndi0.24.00.25.0

Resolved CVE Vulnerabilities

High
CVECVSSComponentDescriptionFixed In
CVE-2025-48976commons-fileupload ≤1.5“Allocation of multipart headers without size limits enables denial of service.” Fixed in commons-fileupload 1.6.0.1.1.1
CVE-2023-24998commons-fileupload ≤1.4“Unlimited request part count allows denial of service (since commons-fileupload 1.0).” Fixed in 1.5; superseded by CVE-2025-48976 in 1.6.1.1.1
CVE-2025-412497.5spring-framework ≤6.2.10@PreAuthorize annotation detection bypass on generic superclasses allows authorization to be skipped.” Fixed in Spring Framework 6.2.11.1.1.1
CVE-2025-412487.5spring-security (Spring Boot ≤3.5.5)“Authorization bypass for method security annotations on parameterized types.” Fixed in Spring Boot 3.5.6 / Spring Security 6.5.4.1.1.1

1.1.2

Edition: Community  |  Release date: 25.10.2025

Highlights

Infrastructure patch. Fixes incorrect dependency path resolution for EximeeBPMS artifacts in downstream Maven projects.

Bug Fixes

  • Fixed incorrect EximeeBPMS artifact path resolution in downstream Maven projects consuming snapshot or release artifacts.
  • Fixed snapshot release workflow authentication token usage.

On this page