DHIS2 patch release 2.42.3.1 is now available - [SECURITY HOTFIX]

phil · 18 November 2025 19:24

Dear all,

DHIS2 version 42.3.1 is out as a HOTFIX release to address critical vulnerabilities in v42.

DHIS2-20195: Create-token User Override
DHIS2-20243: No-ACL user lookup

Note: these issues can only be exploited by authenticated users.

This is the latest stable release for version 42, and supersedes release 42.3.0.

The release note for this patch can be found here: Patch 42.3.1 Release Note.

If you are unable to apply this patch for some time, advice for mitigating the risk can be found in this post.

Thanks!

DHIS2 Release Team

Release Information	Links
Release Note	Patch 42.3.1 Release Note
Upgrade notes	2.42 Upgrade notes
Download release and sample database	Downloads - DHIS2
Documentation	Home - DHIS2 Documentation
Source code on Github	tag/2.42.3.1
Demo instance	Login app \| DHIS2
Docker	`docker pull dhis2/core:2.42.3.1` for more docker image variants see dockerhub

phil · 18 November 2025 19:48

In order to avoid unnecessarily long exposure to the vulnerabilities above, the following documents contain different alternative ways that you can patch your implementation until you are able to apply the DHIS2 updates:

2025-11-11 ApiToken Vulnerability Mitigations.pdf (117.1 KB)

2025-11-18 Alternative mitigation to the ApiToken vulnerabili.pdf (84.7 KB)

Kind regards,

DHIS2 Security Team