MicroProfile 7.1 and updates to its component specifications in 25.0.0.8

Navaneeth S Nair on Aug 12, 2025

announcements , microprofile , release ,

Post available in languages:

This release introduces support for MicroProfile 7.1, which updates two component specifications: MicroProfile Telemetry and MicroProfile OpenAPI.

In Open Liberty 25.0.0.8:

MicroProfile 7.1
- MicroProfile Telemetry 2.1
- MicroProfile OpenAPI 4.1
Security Vulnerability (CVE) Fixes

View the list of fixed bugs in 25.0.0.8.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 25.0.0.8

If you’re using Maven, include the following in your pom.xml file:

<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>3.11.4</version>
</plugin>

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.4'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.

MicroProfile 7.1

MicroProfile 7.1 (MP 7.1) is a minor release which has the following MicroProfile component specifications and works with Jakarta EE 10 Core Profile:

In this release, MicroProfile Telemetry 2.1 and MicroProfile OpenAPI 4.1 have updates while the other five specifications remain unchanged.

To enable MicroProfile 7.1, add the following feature to your server.xml:

<featureManager>
    <feature>microProfile-7.1</feature>
</featureManager>

MicroProfile Telemetry 2.1

MicroProfile Telemetry 2.1 (mpTelemetry-2.1) provides developers with updated Open Telemetry technology. The feature now uses OpenTelemetry v1.48.0, which is updated from v1.39.0. The previously exposed experimental APIs are now stable.

<featureManager>
   <feature>mpTelemetry-2.1</feature>
</featureManager>

To use the OpenTelemetry API, it is no longer required to add the apiTypeVisibility="+third-party" attribute to the classloader element of the server.xml. This also means that it is now possible to deploy an application that uses the OpenTelemetry API by dropping it into the dropins directory.

For more information about MicroProfile Telemetry, see the following links:

MicroProfile OpenAPI 4.1

OpenAPI is a standardized way of documenting REST APIs in a JSON or YAML format. MicroProfile OpenAPI helps to generate and serve OpenAPI documentation for REST applications that are built by using JAX-RS or Jakarta restfulWS. This can be useful for developers to test out the API during development, or for people who use API in production.

To use the new MicroProfile OpenAPI 4.1 (mpOpenAPI-4.1) feature, first add the feature to your server.xml:

<featureManager>
    <feature>mpOpenAPI-4.1</feature>
</featureManager>

Next, deploy any REST application. Then, in a web browser, go to /openapi on the Liberty server to view the YAML OpenAPI document, or go to /openapi/ui for a user interface to browse through the documentation. To enhance the documentation, use annotations in code to add additional information, like textual descriptions, to each method. The annotations are available as a maven dependency:

<dependency>
    <groupId>org.eclipse.microprofile.openapi</groupId>
    <artifactId>microprofile-openapi-api</artifactId>
    <version>4.1</version>
    <scope>provided</scope>
</dependency>

MicroProfile OpenAPI 4.1 is a small release which adds:

The ability to set the jsonSchemaDialect field on the OpenAPI object using the model API
New methods hasExtension and getExtension on Extensible in the model API

For more information about MicroProfile OpenAPI, see:

The Open Liberty guide
The Open Liberty documentation
The javadoc
The specification

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2024-56339	3.7	Bypass security	17.0.0.3 - 25.0.0.7	Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0` and `servlet-6.0` features
CVE-2025-36097	7.5	Denial of service	17.0.0.3 - 25.0.0.7	Affects the `jsonp-1.0`, `jsonp-1.1` and `jsonp-2.0` features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Get Open Liberty 25.0.0.8 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

See all blog posts