Lucee Stable Release

The Lucee team is proud to release our latest Stable Release. This release focusses on bug fixes and making Lucee more secure by default, the big change here is that XML XXE mitigations are now on by default. This release also solves a native QoQ bug.

Note: I mistyped the version number in the original post title, it’s not, it

Spacewalker Woody Hoburg Rides the Canadarm2 Robotic Arm

But what’s a XML XXE you ask?

We have also backported this XXE change to some older releases, 5.3.7, 5.3.8 and 5.3.9, see the above post for details Anyone running older releases should be upgrading to 5.4.2, the 5.4 series includes updates for lots of underlying java libraries with CVEs

There is also a Stable Release


Java Support

Unchanged, 11 is recommended, 8 still works, 17 is not supported

Tickets since RC

LDEV-2692 - scheduled tasks list in admin doesn’t show the start time for daily, weekly or monthly tasks


LDEV-3451 - Disable XML entities by default against XXE in Lucee 6.0 & 5.4
LDEV-3889 - show changelog on admin update page
LDEV-4087 - debug templates are changing the debug log entries
LDEV-4178 - Support passthru of storage locations for Directory* functions / CFDIRECTORY
LDEV-4348 - add xmlFeatures to getApplicationSettings
LDEV-4597 - NPE in pageSourcePool.clearUnused()
LDEV-4610 - Add requestExclusive param to administrator.updateDatasource()
LDEV-4627 - Native QoQ exception when column case differs
LDEV-4628 - update to zip4j 2.11.5
LDEV-4631 - Admin 5.4 is showing false update banner notifications for extensions
LDEV-4635 - s3 ext setStorage() does nothing for directoryCreate
LDEV-4640 - Lucee server config: errors in logs when server xml missing “update” element
LDEV-4644 - only show admin updates notifications for the same major version
LDEV-4645 - CHAR type in cfprocparam passes empty string as NULL


There’s a silly regression that you’ll see an update notification for the current version, already fixed in the latest snapshots, it only showed up after we published, it’s just cosmetic

Code Changes

Please support Lucee


title should be 5.4.2 not 5.2.4…


good catch, updated

1 Like

installers are up on

build process is finally completely automated [LDEV-1120] - Lucee


Thanks Lucee Team!

Any chance we can get these updated for maven/gradle users? We deploy lucee as a dependency of a jetty project, so we can currently only get up to

@micstriit will be actioning this

Thanks @Zackster
Always appreciated sir!

There’s a silly regression that you’ll see an update notification for the current version , already fixed in the latest snapshots, it only showed up after we published, it’s just cosmetic

Weren’t there any regression tests? If there were, how did they fail to catch this?

I think that such an error, even if cosmetic, should disqualify from being a Stable release. As things stand, the Stable release (“ready for production”) has the error. Yet the Snapshot (“NOT recommended for production environments”) is free of the error. Awkward.

You wouldn’t want that to happen often in Lucee. As that would convey a negative image of quality…

Are you volunteering?





Updated my Lucee Installation to Now I get a Fatal Error when consuming a webservice width cfinvoke:

lucee.runtime.exp.NativeException: Fatal Error: URI= Line=2: Markup im Dokument nach dem Root-Element muss ordnungsgemäß formatiert sein. at org.apache.axis.utils.XMLUtils$ParserErrorHandler.fatalError(

Any sugestions to fix this problem?

Thanks in advanced!

Did you verify/check the validity of the XML that is being consumed? Please see xml - How to fix error: The markup in the document following the root element must be well-formed - Stack Overflow is up on maven

JDK docker builds are also up Docker

@Schumatech , does the following test work?

<cfset wsObject=createobject("webservice","")>
<cfdump var="#wsObject#" >

If it does, then cfinvoke might be broken in Lucee Someone reported a similar cfinvoke issue on Lucee

Without seeing the WSDL it’s impossible to say.

@andreas asked for it above.

Depending on how your Lucee is deployed, the results of something like wget from the same machine/Docker image would be helpful, and also rule out any networking issues.