1.24.3 release notes

25th July 2023

🔒 Security fixes

  • Armeria server now strips matrix variables from a request path before finding a matching route. CVE-2023-38493
    • Previously, when an Armeria decorator is used to decorate a Spring controller served using TomcatService or JettyService, the request bypassed the decorator if the request path contains matrix variables.
    • You can use a regex for the decorator as a workaround before you upgrade Armeria.
      • For example, sb.decoratorUnder("regex:^/prefix.*", decorator) instead of sb.decoratorUnder("/prefix", decorator).

🛠️ Bug fixes

🙇 Thank you