Portal for ArcGIS Security 2025 Update 1 Patch

Esri announces the Portal for ArcGIS Security 2025 Update 1 Patch.  Esri recommends that all customers using Portal for ArcGIS 11.4, 11.3, 11.2, 11.1, and 10.9.1 apply this patch. This patch deals specifically with the issues listed below under Issues Addressed with this Patch.

As a best practice, clear the browser cache and re-launch the browser after installing the patch.

This patch can be uninstalled as outlined in the Uninstalling this patch on Windows and Uninstalling this patch on Linux sections below.

Additionally, Esri recommends developing a rollback plan before installing patches. This may be taking a snapshot of machines and related file servers or using the WebGIS DR tool as a software backup. See Back up and restore best practices for more information. For those utilizing a highly available environment, refer to the help topic on how to apply patches in a highly available environment for guidance.

• BUG-000174336 - Improper authentication issue in Portal for ArcGIS

To avoid conflicts the 11.4 version also addresses:

• BUG-000170582 - The Survey123 step in ArcGIS Workflow Manager allows to continue with unsubmitted changes to the survey.

To avoid conflicts the 11.3 version also addresses:

• BUG-000173740 - A file handle leak in Portal for ArcGIS returns the "Too many open files" error and requires frequent restarts in an Amazon Web Services (AWS) deployment.
• BUG-000172179 - When adding a point event using the Add Point Event widget in ArcGIS Experience Builder, route names and measure values are not automatically populated.
• BUG-000172165 - ArcGIS Enterprise 11.3 returns the "Too many exchange refresh token" error message even though the threshold is not reached.
• BUG-000171000 - Remove hard-coded URLs that reference arcgis.com from ArcGIS Instant Apps so they can work in fully disconnected ArcGIS Enterprise deployments (especially with the Category Gallery and Countdown templates).
• BUG-000170223 - In ArcGIS Enterprise 11.3, the import of a portal webgisdr backup fails with the error "The incoming site bundle is invalid" if a federated ArcGIS Server 10.9.1 is included.
• BUG-000168729 - Unable to edit ArcGIS Experience Builder owned by another user, despite having sufficient privileges.
• BUG-000168418 - The error message "Essential Apps Required" is returned when loading ArcGIS Enterprise Sites directly for the first time when using web-tier authentication such Integrated Windows Authentication (IWA) or public key infrastructure (PKI).
• BUG-000167766 - Distributed collaborations between ArcGIS Enterprise and ArcGIS Online organizations in the Asia-Pacific region fail to synchronize more than 20 items.
• BUG-000167652 - The Last Modified timestamp of a hosted feature layer participating in a distributed collaboration is updated upon every workspace synchronization, regardless of any changes to the source item.
• BUG-000167622 - The index service Portal for ArcGIS (Linux) crashes when certain environmental conditions are in place.
• BUG-000165350 - Distributed collaboration does not sync item description changes from ArcGIS Online to ArcGIS Enterprise. 
• BUG-000165233 - The View Data Source option for ArcGIS Hub ends on a loop when the data is referenced from Portal for ArcGIS.
• BUG-000163121 - The ArcGIS Enterprise Sites Gallery layout does not display items correctly.

To avoid conflicts the 11.2 version also addresses:

• BUG-000168637 - Reflected cross-site-scripting (XSS) attacks in Portal for ArcGIS.
• BUG-000168624 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000167984 - Portal for ArcGIS has a Local file inclusion (LFI) vulnerability
• BUG-000167597 - The navigation bars included in the Instant Apps gallery and configuration pages in Portal for ArcGIS do not display correctly after updating the browser to Chrome 127 or Edge 127.
• BUG-000167596 - The ArcGIS Solutions navigation bar in Portal for ArcGIS does not display correctly after updating the browser to Chrome 127 or Edge 127.
• BUG-000167545 - The Map Viewer navigation bar in Portal for ArcGIS does not display correctly after updating the browser to Google Chrome 127 or Microsoft Edge 127.
• BUG-000167544 - The home page navigation bar in Portal for ArcGIS does not display correctly after updating the browser to Chrome 127 or Edge 127.
• BUG-000163032 - Using FeatureLayer.applyEdits() with the useGlobalIds parameter set to true generates lower case global IDs upon insert.
• BUG-000162920 - An error is returned when attempting to delete or update a newly added 3D feature in Scene Viewer.
• BUG-000162733 - Portal for ArcGIS has an invalid authentication vulnerability.
• BUG-000162623 - Portal for ArcGIS has a directory traversal vulnerability.
• BUG-000161781 - Unable to open a hosted tile layer's item details page 10 days after creation.

To avoid conflicts the 11.1 version also addresses:

• BUG-000168637 - Reflected cross-site-scripting (XSS) attacks in Portal for ArcGIS.
• BUG-000168624 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000167984 - Portal for ArcGIS has a Local file inclusion (LFI) vulnerability.
• BUG-000167983 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000167837 - When using the Calcite theme in ArcGIS Experience Builder 11.1, the error message, "Cannot read properties of undefined (reading 'underline')" is returned when clicking the Layers or Measure button in the Map widget. (11.1 Only)
• BUG-000167622 - The index service Portal for ArcGIS (Linux) crashes when certain environmental conditions are in place.
• BUG-000167597 - The navigation bars included in the Instant Apps gallery and configuration pages in Portal for ArcGIS do not display correctly after updating the browser to Chrome 127 or Edge 127.
• BUG-000167596 - The ArcGIS Solutions navigation bar in Portal for ArcGIS does not display correctly after updating the browser to Chrome 127 or Edge 127.
• BUG-000167545 - The Map Viewer navigation bar in Portal for ArcGIS does not display correctly after updating the browser to Google Chrome 127 or Microsoft Edge 127.
• BUG-000167544 - The home page navigation bar in Portal for ArcGIS does not display correctly after updating the browser to Chrome 127 or Edge 127.
• BUG-000167432 - Vector Tile Style Editor displays unexpected characters in the 'Save As' dialog when the home application is configured to display in a non-English language.
• BUG-000166350 - Installing Portal for ArcGIS 11.1 Sharing Patch removes the directory and files used by 3D Object style items, resulting in advanced 3D symbols not displaying properly in Scene Viewer.
• BUG-000165805 - ArcGIS Experience Builder in ArcGIS Enterprise becomes unresponsive after adding an 'Extent changes' trigger when a map layer is also part of a Table widget.
• BUG-000165732 - Reflected XSS in Portal for ArcGIS.
• BUG-000165473 - The Portal for ArcGIS 11.1 Sharing patch adds sample widgets to ArcGIS Experience Builder. 
• BUG-000165286 - Reflected XSS in Portal for ArcGIS.
• BUG-000164335 - Feature service edits are not synchronized when the guest in a distributed collaboration has a multi-machine deployment architecture.
• BUG-000164118 - Members are not able to share to groups through the Map Viewer app when they own or manage more than 30 groups that are configured to only allow owner and managers to contribute content.
• BUG-000163309 - Reflected XSS in Portal for ArcGIS.
• BUG-000162883 - Unable to log in to some endpoints in Portal for ArcGIS through SAML or OpenID Connect when using an external identity provider
• BUG-000162733 - Portal for ArcGIS has an invalid authentication vulnerability.
• BUG-000162671 - Unable to view the legacy home page until users are authenticated within Portal for ArcGIS.
• BUG-000162623 - Portal for ArcGIS has a directory traversal vulnerability.
• BUG-000162544 - Unable to open the KML layer added to Portal for ArcGIS from a file in Map Viewer.
• BUG-000161781 - Unable to open a hosted tile layer's item details page 10 days after creation.
• BUG-000161683 - HTML injection vulnerability in Portal for ArcGIS.
• BUG-000160803 - Unable to access secured services with saved credentials when using a forward proxy that requires authentication.
• BUG-000160765 - Stored XSS vulnerability in ArcGIS Experience Builder.
• BUG-000160633 - When selecting features from the map using the Query widget with a buffer, ArcGIS Experience Builder fails to include the query results from the buffered area in a linked Table widget.
• BUG-000160599 - Stored XSS in Portal for ArcGIS Web App Builder.
• BUG-000160241 - Reflected XSS in Portal for ArcGIS.
• BUG-000159271 - Warnings are erroneously logged for ArcGIS Notebooks and ArcGIS Mission while trying to refresh a webhooks configuration.
• BUG-000158984 - Stored Cross Site Scripting (XSS) in Portal for ArcGIS.
• BUG-000158980 - Trying to add a service to the Map Viewer or as an item is resulting in an infinite loop of checkURL-requests when the allowedProxyHosts-parameter does not contain the domain of the service.
• BUG-000158910 - WebGISDR tool backups fail if backup of portal indicates items were missing.
• BUG-000158688 - There is a cross-site scripting vulnerability in ArcGIS Experience Builder.
• BUG-000158430 - In ArcGIS Web AppBuilder, the Geoprocessing widget returns an incorrect output for the selected feature if the 'Set as input for Geoprocessing' option is not selected in the Select widget.
• BUG-000158232 - In Portal for ArcGIS, sharing items with groups does not work when an organization member owns more than 29 groups with the 'isViewOnly' property set to True.
• BUG-000158210 - HTML injection in ArcGIS Web AppBuilder.
• BUG-000158161 - HTML code to embed a web map in a website does not work in Portal for ArcGIS.
• BUG-000157727 - The 'Administrative contacts' section fails to load in ArcGIS Enterprise.
• BUG-000157485 - Unable to create an offline area for a large data size in Portal for ArcGIS due to a size limit.
• BUG-000153928 - Measure tools do not work if a cursor is moved to find a second point and the map is double-clicked to complete the area measured.
• BUG-000153884 - Reflected Cross-Site Scripting (XSS) in Portal for ArcGIS Map Viewer.

To avoid conflicts the 10.9.1 version also addresses:

• BUG-000171876 - WebGISDR tool times out after 24 hours when the ArcGIS Datastore content is large.
• BUG-000170525 - In ArcGIS Web AppBuilder, adding feature services containing a stand-alone table through the Add Data widget does not make the table appear in the List Layers widget.
• BUG-000168624 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000167984 - Portal for ArcGIS has a Local file inclusion (LFI) vulnerability.
• BUG-000167983 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000167597 - The navigation bars included in the Instant Apps gallery and configuration pages in Portal for ArcGIS do not display correctly after updating the browser to Chrome 127 or Edge 127.
• BUG-000167545 - The Map Viewer navigation bar in Portal for ArcGIS does not display correctly after updating the browser to Google Chrome 127 or Microsoft Edge 127.
• BUG-000167544 - The home page navigation bar in Portal for ArcGIS does not display correctly after updating the browser to Chrome 127 or Edge 127.
• BUG-000165732 - Reflected XSS in Portal for ArcGIS.
• BUG-000165286 - Reflected XSS in Portal for ArcGIS.
• BUG-000164611 - In ArcGIS Web AppBuilder, when using the Filter widget, a custom filter on a date field fails to return any results.
• BUG-000163019 - Stored XSS in Portal for ArcGIS.
• BUG-000162883 - Unable to log in to some endpoints in Portal for ArcGIS through SAML or OpenID Connect when using an external identity provider
• BUG-000162806 - ArcGIS Enterprise web apps do not prompt for an enterprise login from certain ArcGIS Enterprise services.
• BUG-000162733 - Portal for ArcGIS has an invalid authentication vulnerability.
• BUG-000162623 - Portal for ArcGIS has a directory traversal vulnerability.
• BUG-000161683 - HTML injection vulnerability in Portal for ArcGIS.
• BUG-000160765 - Stored XSS in ArcGIS Experience Builder.
• BUG-000160599 - Stored XSS in Portal for ArcGIS Web AppBuilder.
• BUG-000160241 - Reflected XSS in Portal for ArcGIS.
• BUG-000160000 - When attempting to restore a Portal for ArcGIS backup to a new machine, the importSite operation may fail with the error message, "This connection has been closed. Code: 500" returned.
• BUG-000159204 - Accessing and logging in to the ArcGIS Experience Builder web app via ArcGIS Enterprise Sites causes the ArcGIS Experience Builder web app to be always logged in even after logging out on other tabs.
• BUG-000158984 - There is a cross-site scripting issue in Portal for ArcGIS.
• BUG-000158981 - There is a cross-site scripting issue in Portal for ArcGIS.
• BUG-000158688 - There is a cross-site scripting vulnerability in ArcGIS Experience Builder.
• BUG-000158210 - The web map ID needs to be validated in the ArcGIS Web AppBuilder view.
• BUG-000158030 - In Portal for ArcGIS, there is a security vulnerability in the /shared/origin app.
• BUG-000157748 - After installing the Portal for ArcGIS 10.9.1 Security 2023 Update 1 Patch, Map Viewer's Styles panel fails to load and other panels (Filter, Clustering) subsequently fail to load.
• BUG-000157597 - Portal for ArcGIS Security 2023 Update 1 Patch for Portal for ArcGIS 10.9.1 causes issues in the Portfolio app in ArcGIS Instant Apps.
• BUG-000157485 - Unable to create an offline area for a large data size in Portal for ArcGIS due to a size limit.
• BUG-000156964 - Join site fails if the primary is using a non-default Web Server certificate.
• BUG-000156913 - In Portal for ArcGIS 10.9.1, opening Map Viewer on a browser in a mobile view displays a blank map for a new map.
• BUG-000155004 - HTML injection issue in Portal for ArcGIS.
• BUG-000155001 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000154827 - Reflected XSS in ArcGIS Experience Builder.
• BUG-000154722 - There is a Cross-Site Request Forgery (CSRF) issue in Portal for ArcGIS.
• BUG-000154662 - The user experience is inconsistent when opening ArcGIS Instant Apps without an app ID.
• BUG-000154238 - After installing Portal for ArcGIS Security 2022 Update 2, ArcGIS Business Analyst Web App becomes inaccessible.
• BUG-000154236 - ArcGIS Online has a security vulnerability (reflected XSS).
• BUG-000154028 - If a group is configured for only owners or managers to contribute content, the managers cannot share items to the group in Portal for ArcGIS 10.8.1 and 10.9.1.
• BUG-000153997 - After installing the Portal for ArcGIS 2022 Update 2 Patch, ArcGIS Instant Apps cannot be started.
• BUG-000153884 - Input into the directions interface in Map Viewer Classic is not properly validated.
• BUG-000153799 - After installing the Portal for ArcGIS 10.9.1 Security 2022 Update 2 Patch, Map Viewer's Styles panel fails to load and other panels (Filter, Clustering) subsequently fail to load.
• BUG-000152437 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000152422 - ArcGIS Experience Builder containing a secured service is unable to be saved when Portal for ArcGIS and a federated ArcGIS Server site are configured with matching WebContextURLs.
• BUG-000152181 - When the Show option is clicked in a related attribute table in Portal for ArcGIS Map Viewer Classic, the attributes of the related layer are not displayed if the relationship class is created using long integer, short integer, and float data types.
• BUG-000152035 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000151892 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000149597 - Stored XSS vulnerability in Portal for ArcGIS.
• BUG-000149111 - The Portal for ArcGIS certificate keystore is not preserved when a standby machine is joining back to the site during a webgisdr restore in 10.9.1.
• BUG-000148810 - Portal for ArcGIS has a directory traversal vulnerability.
• BUG-000148416 - Portal for ArcGIS service fails to restart after the Portal for ArcGIS Log4j patch installation in an Azure High Availability (HA) environment.
• BUG-000148346 - There is a Cross Site Reference Forgery issue in the ArcGIS Enterprise portal.
• BUG-000148008 - HTML injection in Portal for ArcGIS.
• BUG-000147750 - In ArcGIS Dashboards in Portal for ArcGIS, after filtering the features in a map based on a category, the pop-up for filtering out the overlapping features is still displayed.
• BUG-000147353 - Administrators are unable to share private items owned by another member to a group that they both are members of.
• BUG-000146967 - Unable to edit polygon geometry with z-values as a feature layer in MapViewer for Portal for ArcGIS published from ArcGIS Pro.
• BUG-000146846 - In ArcGIS Enterprise, the ArcGIS Online geometry service is used, although a custom one is configured.
• BUG-000146790 - Distributed Collaboration is not working in Enterprise 10.9.1 if access to the ArcGIS Server (hosting server) Services Directory is disabled.
• BUG-000146217 - The Category Gallery application has stopped responding, and returned the following message, "Uncaught: The item containing the living atlas categories could not be determined" in the Debug Tool (F12) under 'Console'.
• BUG-000145799 - When the Enterprise portal display language is set to any non-English language, text is missing for the 'Application extension (AppBuilder)' option on the Content page within the New Item > Application dialog.
• BUG-000145792 - When creating a dashboard in Portal for ArcGIS 10.9.1, the dashboard URL adds two dots after the web adaptor's name.
• BUG-000145347 - Update log4j to address security vulnerabilities.
• BUG-000145201 - When upgrading Portal for ArcGIS to version 10.9.1, the self-signed certificates are reverted to default.
• BUG-000143573 - Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS.
• BUG-000142922 - Members are able to access the items in the My Favorites tab shared using a group even after leaving the group.
• BUG-000141240 - ArcGIS Web AppBuilder in ArcGIS Enterprise 10.9 is blocking hosted custom 3D widgets.
• BUG-000140656 - 'Allow Portal Access' does not prompt for enterprise logins when WebContextURLs match for Portal for ArcGIS and the server site that owns the content being accessed.
• BUG-000138713 - Features published through the local time enabled referenced feature service are filtered incorrectly through UTC when used in the Filter widget in ArcGIS Web AppBuilder.
• BUG-000137190 - Labels in a vector tile layer render irrespective of the layer's visibility range.
• BUG-000133406 - The relationship field value does not auto-populate after adding the first related record using the ArcGIS Web AppBuilder Edit widget.)
• BUG-000115038 - The Edit widget template window in Web AppBuilder for ArcGIS returns the error message, "Your account does not have the permission to create or modify data. Or this web map does not contain any editable layers" when a hosted feature service in ArcGIS Online set with either the Update Attributes Only or Update Features option is edited, although when the correct permission and an editable layer are present.

On Windows, the release date order of the patches does not matter when installing multiple patches. If an older patch is installed after a newer patch, the newer patch takes precedence and the fixes from the newer patch will remain. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location.

Step 3: Double-click ArcGIS-<Version>-PFA-SEC2025U1-Patch.mspe to start the setup process.

NOTE: If double clicking on the msp file does not start the setup installation, you can start the setup installation manually by using the following command:

Step 4: As a best practice, clear the browser cache and re-launch the browser after installing the patch.

On Linux, the release date order of the patches matters when installing multiple patches. If an older patch is installed after a newer patch, the older patch will replace the newer patch and the fixes in the newer patch will be removed. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure have write access to your ArcGIS installation location, and that no one is using ArcGIS.

Step 3: Extract the specified tar file by typing:

Step 4: Start the installation by typing:

This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Step 5: As a best practice, clear the browser cache and re-launch the browser after installing the patch.

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

Restart your ArcGIS services.

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix