Today, we published a new maintenance release of Hibernate ORM 5.3: 5.3.20.Final.

Security Update

This release introduces a security fix relating to .

The flaw has been present in Hibernate ORM since many years, so many older versions are affected.

An upgrade is recommended, but if you are using a very old version which makes it difficult to upgrade to the latest supported versions (series 5.4 and 5.3 at time of writing this), you can disable SQL comments by setting:


This also is the default, so if you did not set the use_sql_comments at all you are not affected.

Bugfixes and Improvements

In addition to the security fix the release introduces :

  • A fix for the NPE thrown when an Entity A has a map collection having an Embeddable with an association to A as index (HHH-14257)

  • An improvement that permits to use a query hint to specify the table names to which a native query refers. During the auto flush, Hibernate will check whether there are pending operation affected by those tables, and if so automatically flush those changes. When the native query performs an update or delete operation, the table names are also used to determine if any second level cache region is affected and then need to be invalidated (HHH-14325)

You can find the full list of changes in this version here (or, for people without a Hibernate Jira account, here).

Getting 5.3.20.Final

All details are available and up to date on the dedicated page on

Feedback, issues, ideas?

To get in touch, use the usual channels:

Back to top