DPA 2025.3 release notes
Release date: August 12, 2025
Here's what's new in DPA 2025.3.
Learn more
- See the release notes aggregator to view release notes for multiple versions
and multiple SolarWinds Platform products on a single page. - See DPA 2025.3 system requirements to learn about prerequisites for running and installing DPA 2025.3.
- See the DPA 2025.3 Administrator Guide to learn how to work with DPA.
New features and improvements in DPA
Keystore management capabilities
DPA now includes a keystore management page that enables you to connect to DPA with a custom, encrypted SSL certificate. Use the keystore management page to specify the location of the custom certificate and the credentials that allow DPA to access it. The credentials are encrypted and securely stored.
Changes to Teams webhook URLs
Microsoft is changing the webhook URL structure used by Teams and the 0365 Connectors service is being retired:
-
Legacy URLs are no longer supported.
-
Microsoft plans to end support for connector-based URLs in December of 2025.
-
Webflow-based URLs are supported.
If you created webhook contacts to send DPA alert notifications to Teams, you must update the URL specified in the DPA contact definition. If the contact uses an unsupported URL, you will not receive alert notifications. For more information about updating connector URLs, see this article.
AI Query Assist retry option
Requests for query optimization suggestions occasionally fail with errors such as 500 (Internal Server Error) or 503 (Service Unavailable). These errors indicate temporary system or service availability problems.
When this type of error is returned, the AI Query Assist tab displays the following message, followed by a Retry button:
Query optimization failed. Please retry.
Click the Retry button to easily send the optimization request again. Retrying a request does not count against the maximum number of requests.
Support for monitoring additional database versions
DPA now supports monitoring the following database versions:
- PostgreSQL 17
- Azure Database for PostgreSQL - Flexible Server 14, 15, 16, and 17
- Google Cloud SQL for PostgreSQL 15, 16, and 17
Security improvements
- The version of Tomcat that DPA uses has been upgraded to 10.1.42.
- The jquery.datatables JavaScript library has been upgraded to 1.11.13.
Fixed CVEs
At SolarWinds, we prioritize the swift resolution of CVEs to ensure the security and integrity of our software. In this release, we have successfully addressed the following CVEs.
SolarWinds CVEs
SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2025-26398 | SolarWinds Database Performance Analyzer Hard-coded Cryptographic Key Vulnerability | SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MiTM) attack against users. This vulnerability requires additional software not installed by default, local access to the server, and administrator level privileges on the host. | 5.6 Medium |
Third-party CVEs
| CVE-ID | Vulnerability title | Description | Severity |
|---|---|---|---|
| CVE-2025-52520 | Apache Tomcat Denial of Service Vulnerability | For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. | 7.5 High |
| CVE-2025-53506 | Apache Tomcat Denial of Service Vulnerability | Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. | 7.5 High |
| CVE-2025-48988 | Apache Tomcat Throttling Vulnerability | Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | 7.5 High |
| CVE-2025-49125 | Apache Tomcat Authentication Bypass Vulnerability | Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | 7.5 High |
| CVE-2025-49124 | Apache Tomcat Untrusted Search Path Vulnerability | Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | 8.4 High |
| CVE-2021-23445 | Datatables Cross-site Scripting (XSS) Vulnerability | This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped. | 6.1 Medium |
| CVE-2020-28458 | Datatables Prototype Pollution Vulnerability | All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. | 7.3 High |
Fixed customer issues
| Case number | Description | |
|---|---|---|
| 01952134 | DPA deployed in an AWS cloud environment starts as expected. |
Installation or upgrade
For new installations, you can download the installer from the SolarWinds website or from the Customer Portal. For more information, see the DPA Installation and Upgrade Guide.
For upgrades, use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade. When you are ready, download the upgrade package from the SolarWinds Customer Portal.
Deprecation notice
The following platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features.
DPA server OS
Installing DPA on a server with a Windows Server 2012 R2 operating system is still supported, but support will be removed in an upcoming release.
Legal notices
© 2025 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.