5.2.2
Release Date: April 28, 2026 | Version: 5.2.2 | Upgrade Priority: Recommended (Maintenance and Security Hardening)
Overview
HCL Local License Server (LLS) 5.2.2 is a maintenance release focused on security improvements and dependency updates. This version addresses vulnerabilities identified in the Go runtime and standard libraries used by previous versions of the LLS.
Key highlights of this release:
- No functional changes: Core licensing logic remains identical to version 5.2
- No configuration changes: Existing environment configurations do not require modification
- Security compliance: Upgrades core dependencies to resolve "Critical" and "High" severity scan results
Changes in LLS 5.2.2
This release incorporates the following updates to improve security, stability, and compliance:
- Go Runtime Upgrade: Updated from 1.24.3 to 1.26.2
- Crypto Library Update: golang.org/x/crypto upgraded to v0.45.0
- System Dependency Update: golang.org/x/sys updated as part of standard dependency resolution
Vulnerability Impact Analysis and Justification
In alignment with our commitment to transparency, HCL has conducted a thorough impact analysis of the CVEs addressed in this release. While these vulnerabilities exist in the underlying Go libraries, the HCL LLS architecture renders them non-exploitable in standard deployment environments (such as air-gapped or internal networks).
Why this is a Non-Mandatory Upgrade:
The following table provides the technical justification for why these fixes have low or no impact on existing customer environments:
| CVE ID | Severity | Feature Area | Technical Justification |
|---|---|---|---|
| CVE-2025-68121 | Critical | TLS Session Resumption | No Impact. LLS uses static TLS configuration. Any security change requires a service restart, which destroys all in-memory session tickets and forces a full, secure handshake. |
| CVE-2026-27142 | High | HTML XSS | No Impact. LLS is a headless service providing JSON REST APIs only. It does not use HTML templates or render web pages. |
| CVE-2025-58188 | High | Certificate Parsing | No Impact. LLS does not validate or parse client-side certificates (mTLS); the vulnerable code path for DSA keys is never triggered. |
| CVE-2026-25679 | High | URL Validation | No Impact. The server acts as a fixed endpoint and does not perform outbound redirection based on client-supplied URLs. |
| CVE-2025-61726 | High | URL Parameter DoS | Low Risk. Exploitation requires a malicious actor inside the internal network to send millions of recursive parameters. |
Comprehensive List of Security Fixes
This update ensures that all identified vulnerabilities in the Go runtime and associated libraries are addressed:
- Critical Vulnerability Fixed: CVE-2025-68121
- High Severity Vulnerabilities Fixed: CVE-2025-22874, CVE-2025-58187, CVE-2025-58188, CVE-2025-61723, CVE-2025-61725, CVE-2025-61726, CVE-2025-61729, CVE-2026-25679, CVE-2026-27142, CVE-2026-32281, CVE-2026-32283, CVE-2026-33810
- Medium Severity Vulnerabilities Fixed: CVE-2025-58183, CVE-2025-47912, CVE-2025-58185, CVE-2025-58186, CVE-2025-58189, CVE-2025-61724, CVE-2025-61730, CVE-2025-0913, CVE-2025-47906, CVE-2025-61727, CVE-2025-61728, CVE-2025-4673, CVE-2026-32282, CVE-2026-32288, CVE-2026-32289
- Crypto Library Specific Fixes: CVE-2025-47913, CVE-2025-47914, CVE-2025-58181
Summary and Recommendation
HCL recommends that customers upgrade to LLS 5.2.2 during their next scheduled maintenance window to improve their overall security posture and resolve findings in internal security audits.
However, because the vulnerabilities are not exploitable within the LLS architecture, existing deployments of 5.2 and 5.2.1 remain secure, and an immediate, forced upgrade is not required.