3.5.0

This is primarily a security release to address CVE-2025-64408, which was a Java deserialization vulnerability to authenticated attackers.

The vulnerability applied to view models, not entities. The fix involves encrypting the view model memento using HMAC 256 encryption key. By default, a new key is created each time the application is restarted, which means that any bookmark of a view model will become invalid in subsequent runs.

If you require stable (but still secure) bookmarks across runs, then this can be done by providing a custom implementation of the HmacAuthority bean (to override the default provided by the framework).

See the Migration notes for further details.

New Feature

CAUSEWAY-3942 - Support EclipseLink static weaving automatically.

Improvement

CAUSEWAY-3939 - Viewmodel Bookmark Overhaul (CVE-2025-64408).

Bug

CAUSEWAY-3938 - [Wicket Viewer] Editing uninitialized mandatory property causes exception
CAUSEWAY-3899 - NPE guard for DomainChangeRecord

Task

CAUSEWAY-3941 - Release activities, r3.5.0