Release Notes for Apache Storm 2.8.6

Issues addressed in 2.8.6.

Security Fixes

CVE-2026-35337 - Deserialization of Untrusted Data vulnerability in Apache Storm

Versions Affected: before 2.8.6.

Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the "TGT" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.

Mitigation: 2.x users should upgrade to 2.8.6.

Users who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies.

If you are unable to update, monkey-patching can be done by replacing the affected class in the Storm client JAR with the changes from this commit, either by:

Taking the .class file from the 2.8.6 Storm release (no breaking changes in this class) and replacing it in the existing JAR:
1. Extract the class from the 2.8.6 JAR:
  jar xf storm-client-2.8.6.jar org/apache/storm/security/auth/ClientAuthUtils.class
2. Replace it in your existing JAR:
  jar uf storm-client-2.8.5.jar org/apache/storm/security/auth/ClientAuthUtils.class
Note: check for inner classes first and extract/replace those too if present:
jar tf storm-client-2.8.6.jar | grep ClientAuthUtils
Checking out the 2.8.5 tag, applying the change, and building from source.

Credit: This issue was discovered by K.

CVE-2026-35565 -Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI

Versions Affected: before 2.8.6.

Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting.

In multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.

Mitigation: 2.x users should upgrade to 2.8.6.

Users who cannot upgrade immediately should monkey-patch storm-webapp/src/main/webapp/js/visualization.js as follows.

Step 1. Add the following helper function after the existing tooltipElement() function:

function escapeHtml(str) {
    return String(str)
        .replace(/&/g, "&amp;")
        .replace(/</g, "&lt;")
        .replace(/>/g, "&gt;")
        .replace(/"/g, "&quot;")
        .replace(/'/g, "&#039;");
}

Step 2. In parseNode(), replace the title construction and label in the node object:

var safeNodeId = escapeHtml(nodeId);
var safeCapacity = escapeHtml(nodeJson[":capacity"]);
var safeLatency = escapeHtml(nodeJson[":latency"]);
 
var title = tooltipElement([
    { text: safeNodeId, bold: true },
    { text: "Capacity: " + safeCapacity },
    { text: "Latency: " + safeLatency }
])
 
var node = {
    "id": nodeId,         // keep raw — vis.js uses this as an internal key
    "label": safeNodeId,
    ...

Step 3. In parseEdge(), replace the visNS.edges.update() call:

visNS.edges.update({
    "id": id,
    "from": edgeJson[":component"],   // keep raw — vis.js node reference key
    "to": sourceId,                   // keep raw — vis.js node reference key
    "label": escapeHtml(edgeJson[":stream"]),
    "title": tooltipElement([
        { text: "From: " + escapeHtml(edgeJson[":component"]) },
        { text: "To: " + escapeHtml(sourceId) },
        { text: "Grouping: " + escapeHtml(edgeJson[":grouping"]) }
    ])
});

To deploy the patched file, replace it inside storm-webapp-2.8.5.jar, found in the lib-webapp directory of your Storm installation. Storm runs embedded Jetty and serves static resources directly from this JAR:

# Check the exact internal path first
jar tf lib-webapp/storm-webapp-2.8.5.jar | grep visualization.js
 
# Recreate the directory structure to match (e.g. public/js/)
mkdir -p public/js
cp visualization.js public/js/visualization.js
 
# Replace in the JAR
jar uf lib-webapp/storm-webapp-2.8.5.jar public/js/visualization.js

Restart the Storm UI process after replacing the file.

As a defense-in-depth measure, restrict topology submission to trusted users via Nimbus ACLs.

Credit: This issue was discovered while investigating another report by K.

Dependencies

[#8502] - Bump com.google.errorprone:error_prone_annotations from 2.48.0 to 2.49.0
[#8501] - Bump redis.clients:jedis from 7.4.0 to 7.4.1
[#8500] - Bump cytoscape from 3.33.1 to 3.33.2 in /storm-webapp
[#8499] - Bump lodash from 4.17.23 to 4.18.1 in /storm-webapp
[#8497] - Bump io.netty:netty-bom from 4.2.10.Final to 4.2.12.Final
[#8496] - Bump jetty.version from 12.1.7 to 12.1.8
[#8495] - Bump activemq.version from 6.2.1 to 6.2.3
[#8494] - Bump hadoop.version from 3.4.3 to 3.5.0
[#8493] - Bump start-server-and-test from 2.1.5 to 3.0.0 in /storm-webapp
[#8492] - Bump mini-css-extract-plugin from 2.10.1 to 2.10.2 in /storm-webapp
[#8491] - Bump webpack-cli from 7.0.0 to 7.0.2 in /storm-webapp
[#8490] - Bump cypress from 15.12.0 to 15.13.0 in /storm-webapp
[#8489] - Bump actions/upload-artifact from 4.6.2 to 7.0.0
[#8488] - Bump actions/setup-node from 4.4.0 to 6.3.0
[#8487] - Bump actions/download-artifact from 4.3.0 to 8.0.1
[#8476] - Bump org.rocksdb:rocksdbjni from 10.2.1 to 10.10.1
[#8475] - Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.14
[#8474] - Bump org.apache.maven.plugins:maven-shade-plugin from 3.6.1 to 3.6.2
[#8473] - Bump netty-tcnative.version from 2.0.74.Final to 2.0.75.Final
[#8472] - Bump com.fasterxml.jackson:jackson-bom from 2.21.1 to 2.21.2
[#8471] - Bump io.netty:netty-bom from 4.2.10.Final to 4.2.12.Final
[#8470] - Bump joda-time:joda-time from 2.14.0 to 2.14.1
[#8469] - Bump byte-buddy.version from 1.18.5 to 1.18.8
[#8468] - Bump storm.kafka.client.version from 4.1.1 to 4.2.0
[#8467] - Bump activemq.version from 6.2.1 to 6.2.3
[#8466] - Bump org.apache.logging.log4j:log4j-bom from 2.25.3 to 2.25.4
[#8465] - Bump prometheus.client.version from 1.5.0 to 1.5.1
[#8464] - Bump org.checkerframework:checker-qual from 3.53.1 to 3.54.0
[#8463] - Bump com.github.eirslett:frontend-maven-plugin from 1.15.1 to 2.0.0
[#8462] - Bump redis.clients:jedis from 7.3.0 to 7.4.0
[#8461] - Bump commons-logging:commons-logging from 1.3.5 to 1.3.6
[#8460] - Bump spring.version from 7.0.5 to 7.0.6
[#8459] - Bump jetty.version from 12.1.6 to 12.1.7
[#8458] - Bump com.fasterxml.jackson.core:jackson-databind from 2.21.1 to 2.21.2
[#8447] - Bump serialize-javascript from 7.0.4 to 7.0.5 in /storm-webapp
[#8437] - Bump ruby/setup-ruby from 1.295.0 to 1.298.0
[#8436] - Bump picomatch from 4.0.3 to 4.0.4 in /storm-webapp

Enhancement

[#8483] - Migrate to Java 24+ compatible security APIs and add Java 25 to CI
[#8452] - Passing Conf object to KryoDecorator
[#8305] - Improve dev-tools/release_notes.py to deal with multiple tags in an issue

Bug

[#8456] - Storm 2.8.5 GUI using scientific notation in columns for large numbers
[#8442] - Fix NPE in getSupervisorPageInfo for unknown hostnames
[#8441] - Fix NPE in mkAssignments when assignment is deleted during scheduling
[#8440] - Fix corrupted record counter in SequenceFileReader.Offset.increment()

Uncategorized

[#8484] - Speed up CI by building once on JDK 17 and fanning out tests.
[#8457] - #8456 - Fix scientific notation display for large numbers in Storm UI table
[#8439] - #7751 Add script and workflow to auto-update license files
[#8438] - #8305 - Fix release_notes.py to avoid duplicate issues when multiple labels exist