Updates for 2.37, 2.38 and 2.39 are now available - [SECURITY UPDATE]

phil · 18 November 2025 19:39

Dear all,

We have released updates for three older (unsupported) releases to address critical vulnerabilities in versions 2.37 to 2.39.

DHIS2-20195: Create-token User Override
DHIS2-20243: No-ACL user lookup

Note: these issues can only be exploited by authenticated users.

These updates can be be applied by taking the End Of Support (EOS) builds of the relevant versions:

FOR 2.37:

You must be on 2.37.10
You can then update to https://releases.dhis2.org/2.37/dhis2-stable-2.37-eos.war

FOR 2.38:

You must be on 2.38.7
You can then update to https://releases.dhis2.org/2.38/dhis2-stable-2.38-eos.war

FOR 2.39:

You must be on 2.39.10.1
You can then update to https://releases.dhis2.org/2.39/dhis2-stable-2.39-eos.war

If you are unable to apply the relevant update for some time, advice for mitigating the risk can be found in this post.

Thanks!

DHIS2 Release Team

phil · 19 November 2025 14:12

Dear ALL,

Please note that there were some global networking issues yesterday and it seems that the 2.37-eos version was not built!

i.e. the current 2.37-eos war file does NOT contain the fix.

We are rebuilding now and will update this thread when the new build is available.

phil · 19 November 2025 18:12

The 2.37 war file has now been correctly built now and the link in the original post above restored.

If you are in doubt about which 2.37-eos war file you downloaded, note that the build date in the DHIS2 about page should show today’s date (i.e. November 19, 2025).

Kind regards,
Phil