ECDH-ES support added to JWT Builder in 25.0.0.9

Ismath Badsha on Sep 9, 2025

announcements , release , security ,

Post available in languages: 简体中文 ,

This release introduces ECDH-ES support in JWT Builder as a key management algorithm, offering a more secure alternative to RSA-OAEP.

In Open Liberty 25.0.0.9:

Add ECDH-ES support to JWT Builder
Security Vulnerability (CVE) Fixes

View the list of fixed bugs in 25.0.0.9.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 25.0.0.9

If you’re using Maven, include the following in your pom.xml file:

<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>3.11.5</version>
</plugin>

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.5'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.

Add ECDH-ES support to JWT Builder

Open Liberty enhances its JSON Web Token 1.0 (jwt-1.0) feature by introducing support for ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static) as a key management algorithm in the jwtBuilder configuration. This update allows application developers to use Elliptic Curve Cryptography to determine the Content Encryption Key (CEK) of a JSON Web Encryption (JWE) token. By offering a modern alternative to the previously supported RSA-OAEP, the enhancement delivers improved security through ECDH-ES.

To use ECDH-ES, developers must define an Elliptic Curve (EC) public key in the keyManagementKeyAlias attribute. The EC public and private key pair can be generated using securityUtility or keytool, for example:

./securityUtility createSSLCertificate --sigAlg=SHA256withECDSA --keySize=256 --server=myServer --validity=3650 --password=password

keytool -genkeypair -alias eccert -keyalg EC -groupname secp256r1 -validity 3650 -storetype pkcs12 -keystore myKeystore.p12 -storepass password

ECDH-ES can be configured under the keyManagementKeyAlgorithm attribute in a jwtBuilder element of JSON Web Token 1.0 (jwt-1.0) feature. Reference the EC public key used by the ECDH-ES key management algorithm by its alias in keyManagementKeyAlias, and specify the keystore using the trustStoreRef attribute.

Sample server.xml configuration:

<jwtBuilder
    keyManagementKeyAlgorithm="ECDH-ES"
    keyManagementKeyAlias="myECPublicKey"
    trustStoreRef="myTrustStore" ... />

For more information on configuring jwtBuilder, see the Open Liberty documentation.

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2025-36000	4.4	Stored cross-site scripting	17.0.0.3-25.0.0.8	Affects the `adminCenter-1.0` feature
CVE-2025-36047	5.3	Denial of service	18.0.0.2-25.0.0.8	Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0` and `servlet-6.0` features
CVE-2025-48976	7.5	Denial of service	17.0.0.3-25.0.0.8	Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0` and `servlet-6.0` features
CVE-2025-36124	5.9	Bypass security	17.0.0.3-25.0.0.8	Affects the `wasJmsServer-1.0`, `wasJmsSecurity-1.0`, `wasJmsClient-2.0`, `messagingServer-3.0`, `messagingSecurity-3.0` and `messagingClient-3.0` features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Get Open Liberty 25.0.0.9 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

See all blog posts