Support for override library in the application classloader and support for Java 25 in 25.0.0.10

Navaneeth S Nair on Oct 7, 2025

announcements , java-se , release , java-ee ,

Post available in languages:

This release introduces support for the override library in the application classloader that allows fixing applications without rebuilding them. It also adds compatibility with Java 25, the latest Long-Term Support (LTS) release of Java.

In Open Liberty 25.0.0.10:

OverrideLibrary support for application classloader
Support for Java 25
Security Vulnerability (CVE) Fixes

View the list of fixed bugs in 25.0.0.10.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 25.0.0.10

If you’re using Maven, include the following in your pom.xml file:

<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>3.11.5</version>
</plugin>

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.5'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.

OverrideLibrary support for application classloader

This GA release introduces a new type of library reference for configuring an application’s <classloader/> that can be used to configure the override library reference. The override library reference is similar to a private library reference because class instances remain unique to the application’s classloader. The key difference is the search order. With an override library reference, the library class path is searched before the application’s own class path. The override library hence allows the library path to override classes that are already included in the application.

For example, suppose a <webApplication/> contains a class such as org.acme.needs.fix.SomeImpl that must be overridden to resolve an issue. If you are rebuilding the application to include the fix and rebuilding is difficult or undesirable, build a new library JAR (for example, someImplFix.jar) with the corrected class files. The following server.xml configuration shows how to use an overrideLibraryRef to apply the fix without rebuilding the application:

<webApplication location="appThatNeedsFix.war">
    <classloader overrideLibraryRef="someImplFix"/>
</webApplication>

<library id="someImplFix">
     <path name="someImplFix.jar"/>
</library>

Support for Java 25

Java 25, the latest Long-Term Support (LTS) release, contains many new features and enhancements over previous versions of Java. There are 18 new features (JEPs) in Java 25: 6 are test features and 12 are fully delivered.

Test features

Delivered features

503: Remove the 32-bit x86 Port
506: Scoped Values
510: Key Derivation Function API
511: Module Import Declarations
512: Compact Source Files and Instance Main Methods
513: Flexible Constructor Bodies
514: Ahead-of-Time Command-Line Ergonomics
515: Ahead-of-Time Method Profiling
518: JFR Cooperative Sampling
519: Compact Object Headers
520: JFR Method Timing & Tracing
521: Generational Shenandoah

When using the CompletableFuture and SubmissionPublisher classes in Java 25 without an explicit Executor backing them, they default to using the ForkJoinPool.commonPool. This pool sets its parallelism value to the number of available processors minus one (# available processors - 1). Applications running on systems with two or fewer processors can encounter concurrency issues, as Java 25 uses only a single thread by default. In earlier Java versions, this was not a problem because the JDK would create a new thread for each async task when the ForkJoinPool common pool had a parallelism value less than 2.

You can avoid this issue by using one of the following approaches:

Use the CompletableFuture class provided in Liberty’s Jakarta Concurrency implementation, which does not have this limitation. You can use the CompletableFuture class with a DefaultManagedExecutorService instance and either the supplyAsync method or the runAsync method.
Explicitly set the ForkJoinPool.commonPool parallelism value to the desired number of threads by using the system property, -Djava.util.concurrent.ForkJoinPool.common.parallelism=N (where N is the minimum number of threads required).
Use an explicit backing Executor.

For more information on this change, see the following links:

Take advantage of the changes in Java 25 in Open Liberty now and get more time to review your applications, microservices, and runtime environments on your favorite server runtime!

Just download the latest release of Java 25, download and install the 25.0.0.10 version of Open Liberty, edit your Liberty server’s server.env file with JAVA_HOME set to your Java 25 installation directory and start testing!

For more information on Java 25, please visit the Java 25 release notes page, API Javadoc page or download page. For more information on Open Liberty, please visit our documentation page.

Security vulnerability (CVE) fixes in this release

CVE CVSS Score Vulnerability Assessment Versions Affected Notes

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2020-36732	5.3	Weaker security	17.0.0.3-25.0.0.9	Affects the `openidConnectServer-1.0` feature

CVE-2020-36732

5.3

Weaker security

17.0.0.3-25.0.0.9

Affects the openidConnectServer-1.0 feature

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Get Open Liberty 25.0.0.10 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

See all blog posts