Apache Storm 2.8.6

Apache Storm 2.8.6

This release includes two security fixes, enhancements, bug fixes, and a large number of dependency upgrades. Users of previous versions are strongly encouraged to upgrade.

---

⚠️ Security Fixes

CVE-2026-35337 — Deserialization of Untrusted Data in Apache Storm

Versions affected: < 2.8.6

When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.

Fix: Upgrade to 2.8.6. If you cannot upgrade immediately, monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. See the full mitigation instructions in the release notes.

Credit: Discovered by K.

---

CVE-2026-35565 — Stored XSS via Unsanitized Topology Metadata in Storm UI

Versions affected: < 2.8.6

The Storm UI visualization component interpolates topology metadata (component IDs, stream names, grouping values) directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization. An authenticated user with topology submission rights could craft a topology with malicious HTML/JavaScript in component identifiers, resulting in stored cross-site scripting. In multi-tenant deployments this enables privilege escalation through script execution in an admin's browser session.

Fix: Upgrade to 2.8.6. If you cannot upgrade immediately, patch storm-webapp/src/main/webapp/js/visualization.js to escape output in parseNode() and parseEdge(). See the full mitigation instructions in the release notes.

Credit: Discovered while investigating another report by K.

---

🚀 Enhancements

• #8483 — Migrate to Java 24+ compatible security APIs and add Java 25 to CI
• #8452 — Pass Conf object to KryoDecorator
• #8305 — Improve dev-tools/release_notes.py to handle multiple tags per issue

---

🐛 Bug Fixes

• #8456 / #8457 — Fix scientific notation display for large numbers in Storm UI table
• #8442 — Fix NPE in getSupervisorPageInfo for unknown hostnames
• #8441 — Fix NPE in mkAssignments when assignment is deleted during scheduling
• #8440 — Fix corrupted record counter in SequenceFileReader.Offset.increment()

---

📦 Dependency Upgrades

Dependency	From	To
io.netty:netty-bom	4.2.10.Final	4.2.12.Final
hadoop.version	3.4.3	3.5.0
org.rocksdb:rocksdbjni	10.2.1	10.10.1
activemq.version	6.2.1	6.2.3
spring.version	7.0.5	7.0.6
jetty.version	12.1.6	12.1.8
com.fasterxml.jackson:jackson-bom	2.21.1	2.21.2
com.fasterxml.jackson.core:jackson-databind	2.21.1	2.21.2
storm.kafka.client.version	4.1.1	4.2.0
redis.clients:jedis	7.3.0	7.4.1
byte-buddy.version	1.18.5	1.18.8
org.apache.logging.log4j:log4j-bom	2.25.3	2.25.4
prometheus.client.version	1.5.0	1.5.1
org.checkerframework:checker-qual	3.53.1	3.54.0
com.google.errorprone:error_prone_annotations	2.48.0	2.49.0
netty-tcnative.version	2.0.74.Final	2.0.75.Final
commons-logging:commons-logging	1.3.5	1.3.6
joda-time:joda-time	2.14.0	2.14.1
org.apache.maven:maven-resolver-provider	3.9.12	3.9.14
org.apache.maven.plugins:maven-shade-plugin	3.6.1	3.6.2
com.github.eirslett:frontend-maven-plugin	1.15.1	2.0.0
cytoscape (storm-webapp)	3.33.1	3.33.2
lodash (storm-webapp)	4.17.23	4.18.1
webpack-cli (storm-webapp)	7.0.0	7.0.2
cypress (storm-webapp)	15.12.0	15.13.0
mini-css-extract-plugin (storm-webapp)	2.10.1	2.10.2
start-server-and-test (storm-webapp)	2.1.5	3.0.0
serialize-javascript (storm-webapp)	7.0.4	7.0.5
picomatch (storm-webapp)	4.0.3	4.0.4
actions/upload-artifact	4.6.2	7.0.0
actions/setup-node	4.4.0	6.3.0
actions/download-artifact	4.3.0	8.0.1
ruby/setup-ruby	1.295.0	1.298.0