Page History

...

DSpace 9.1 provides bug fixes, accessibility & performance improvements to the 9.x platform. No new features are provided. As such this release should be an easier upgrade for sites already running 9.x.

9.1 Security Fixes

• Fix for CVE-2025-53621 (moderate severity). XML External Entity (XXE) injection possible in import via Simple Archive Format (SAF) or import from external sources. See security advisory or mailing list “security notice” for details.
• Fix for CVE-2025-53622(moderate severity). Path traversal vulnerability in Simple Archive Format (SAF) package import via “contents” file. See security advisory or mailing list “security notice” for details.
• This release also many dependency updates in order to keep all DSpace sites secure. Some of these updates patch vulnerabilities that have been reported by those dependencies. But no exploits of these vulnerabilities have been confirmed in DSpace.

...

The following 14 individuals have contributed directly to the DSpace backend (REST API, Java API, OAI-PMH, etc.) in this release (ordered by number of GitHub commits): Kim Shepherd (kshepherd), Tim Donohue (tdonohue), Alan Orth (alanorth), Michele Boychuk (Micheleboychuk), Max Nuding (max-nuding),Abhinav Sidharthan (AbhinavS96), Sascha Szott (saschaszott), Jens Vannerum (jensvannerum), Marcin Miłosz (MMilosz), Mark Wood (mwoodiupui), Yury Bondarenko (ybnd), Adamo Fapohunda (AdamF42), Alexandre Vryghem (alexandrevryghem), Francisco Carvalho (ciscocarvalho), Jens Vannerum (jensvannerum).

...