Java 25 release: Post-quantum security explained

Oracle released Java 25 on September 16, 2025, introducing the first Long-Term Support (LTS) version since Java 21. With over 73 billion active Java Virtual Machines deployed globally, this release directly affects organizational security infrastructure. The update includes post-quantum cryptography foundations, enhanced encryption key management, and disabled legacy protocols that cybercriminals actively exploit.

For business leaders, this is not just a technical update. It is a critical security milestone that determines whether organizations are protected against tomorrow's threats or remain vulnerable to known attack vectors.

What is Java 25

Java 25 is Oracle's latest Long-Term Support release, providing eight years of security updates through September 2033. Unlike the six-month support cycle for non-LTS versions, this extended window allows organizations to migrate gradually while maintaining protection. The release includes 18 finalized Java Enhancement Proposals (JEPs) that strengthen security, improve performance, and introduce quantum-resistant cryptographic capabilities.

How it works

Java 25 operates as a runtime environment that executes applications across diverse infrastructure: from on-premises servers to cloud containers and microservices architectures. The platform dynamically optimizes application performance, translating code into native machine instructions while programs run.

The security architecture implements multiple defensive layers: enforced boundaries for internal access, cryptographic operation monitoring, and automatic disabling of deprecated protocols. When applications attempt weak algorithms like SHA-1, Java 25 blocks these operations by default, eliminating security misconfigurations that attackers commonly exploit.

What is new for security

Java 25 finalizes the Key Derivation Function (KDF) API, implementing industry-standard algorithms including HKDF, PBKDF2, and Argon2 that strengthen encryption key generation and management. Organizations using older versions rely on weak methods that sophisticated attackers can compromise through brute-force attacks.

The release introduces quantum-resistant cryptographic standards (ML-KEM and ML-DSA) designed to withstand attacks from future quantum computers. These post-quantum algorithms operate up to 10% faster while providing mathematical security that remains intact even when quantum computers become commercially viable. The "harvest now, decrypt later" threat, where adversaries collect encrypted data today to decrypt once quantum computers are available, makes this protection critical for organizations handling financial records, healthcare data, or intellectual property.

SHA-1 is now disabled in TLS 1.2 handshake signatures by default, eliminating a vulnerability attackers exploit for man-in-the-middle attacks. Though cryptographically broken since 2017, many enterprise applications continued using SHA-1 because older Java versions enabled it by default.

The PEM Encodings API provides preview support for modern authentication systems, streamlining certificate chain and cryptographic credential processing in zero-trust architectures. Hybrid key exchange specifications combine quantum-resistant algorithms with traditional cryptography, ensuring security even if one algorithm is compromised.

Performance and reliability

Memory usage decreases substantially through Compact Object Headers, with real-world testing showing 70% performance improvements in framework deployments upgrading from Java 21 without code modifications. Organizations running microservices see immediate cost savings from reduced cloud resource consumption.

Generational Shenandoah garbage collection provides sub-millisecond pause times, ensuring user-facing applications maintain consistent responsiveness. Ahead-of-Time optimizations significantly improve startup times for cloud workloads, addressing cold start latency in serverless environments where applications become responsive faster.

Enhanced JDK Flight Recorder capabilities provide production-ready observability with accurate CPU profiling and cooperative sampling that does not impact performance. DevOps teams can identify bottlenecks without deploying third-party monitoring agents.

Why leaders should care

The average data breach cost reached $4.45 million in 2023, with costs rising as regulatory penalties and legal liabilities increase. Major data breaches like TransUnion demonstrate real-world consequences. The 2017 Equifax breach exemplifies consequences: attackers exploited a critical Java vulnerability (CVE-2017-5638, severity 10.0), resulting in 147 million compromised records and over $1.4 billion in settlements.

Java powers the majority of enterprise applications, meaning unpatched vulnerabilities create organization-wide exposure affecting customer data, financial systems, and operational infrastructure. A single publicized breach resulting from unpatched Java signals to customers, partners, and investors that organizations prioritize convenience over security.

Organizations delaying migration will eventually face forced upgrades under crisis conditions when critical vulnerabilities emerge. Proactive migration during stable operational windows costs significantly less than reactive emergency patching when attackers actively exploit vulnerabilities.

Risks and realities

Cybercriminals systematically scan internet-facing applications for outdated Java versions using automated tools that identify exploitable systems within minutes. Once discovered, they leverage publicly documented exploits to gain unauthorized access, execute malicious code, or exfiltrate sensitive data.

Organizations running outdated versions cannot receive security patches for newly discovered vulnerabilities, creating permanent exposure that grows more dangerous over time. This accumulating security debt compounds risk exponentially as each month of delay increases both exploitation likelihood and remediation complexity.

Applications explicitly relying on deprecated security features require targeted updates to maintain functionality under Java 25. Organizations must balance security urgency with testing requirements, as insufficient compatibility validation can cause production failures.

Third-party software vendors may not immediately support Java 25, creating dependencies that delay enterprise migration. Legacy applications built on deprecated APIs face higher migration complexity, requiring code refactoring that extends timelines and increases costs.

What to do now

1. Inventory and assess your Java footprint

   Start by conducting a security code review to map where Java runs across infrastructure, which garbage collection modes are currently in use, and identifying any dependencies on Security Manager, JNI, or Unsafe methods. Document these findings to inform migration planning.

2. Test compatibility in staging environments

   Deploy Java 25 in non-production environments and execute comprehensive application testing before production rollout. Focus testing on authentication mechanisms, encryption implementations, and external integrations where security protocol changes might affect functionality.

3. Develop a phased migration plan

   Prioritize internet-facing applications and systems processing sensitive data for early migration. Schedule low-risk internal tools for later phases after gaining operational experience.

4. Engage security expertise

   Partner with cybersecurity consultancies to conduct penetration testing and vulnerability assessments specifically targeting Java components in infrastructure. Professional testing identifies configuration weaknesses, insecure coding patterns, and integration vulnerabilities that automated scanners miss.

5. Update vendor software

   Contact third-party software vendors to confirm their Java 25 compatibility timelines and security update schedules. Establish service level agreements that mandate timely vendor support for new Java versions.

6. Monitor compliance requirements

   Review industry-specific compliance obligations to ensure Java update strategies satisfy regulatory mandates for timely security patching and cryptographic standards. Document migration progress for audit purposes and regulatory reporting.

Pressing questions

• Is Java 25 mandatory?

  No version upgrade is technically mandatory, but organizations remaining on older Java versions accept increasing security risk as new vulnerabilities emerge without receiving patches. Java 25 provides eight years of security updates, while older versions lose support over time, eventually leaving applications permanently vulnerable.

• Will Java 25 break existing applications?

  Properly coded Java applications following documented APIs maintain compatibility with Java 25. Applications explicitly using deprecated security features like SHA-1 signatures require targeted updates. Comprehensive testing in staging environments identifies compatibility issues before production deployment.

• How quickly should organizations migrate?

  Migration urgency depends on risk tolerance and regulatory requirements. Internet-facing applications and systems processing sensitive data should prioritize early migration, while internal tools with limited exposure can follow phased timelines.

• What happens if organizations delay the update?

  Delayed updates create accumulating security debt as new vulnerabilities emerge without available patches. Emergency migrations forced by active exploitation cost significantly more than planned updates during stable operational periods.

• What are post-quantum algorithms and why do they matter now?

  Post-quantum algorithms use mathematical problems that even quantum computers cannot solve efficiently, protecting encrypted data against future technological advances. Adversaries can harvest encrypted data today and decrypt it once quantum computers become available, making proactive protection essential.

Key takeaways

Java 25 represents a critical security milestone that protects enterprise applications against both current exploitation techniques and emerging quantum computing threats. Organizations maintaining outdated Java versions face growing vulnerability exposure as security support ends and new exploits emerge.

Business leaders should prioritize Java inventory assessment, compatibility testing, and phased migration planning to reduce breach probability before attackers exploit known vulnerabilities. Proactive security updates consistently cost less than reactive incident response, making Java 25 migration a strategic investment in long-term cyber resilience. Performance improvements deliver immediate operational value through reduced cloud costs and enhanced application responsiveness.