November 10, 2025

SailPoint IIQ e-Fix patch IIQSR-940 and IIQ plugins

On November 3, 2025, SailPoint published e-Fix patch IIQSR-940 for IIQ security vulnerability CVE-2025-10280. This patch takes the form of an updated Java class, SailPointResponseFilter.class (a servlet filter), along with an updated web.xml. Unfortunately, this e-Fix also unintentionally breaks plugins relying on jQuery plugins for their UI functions.

This includes at least two supported Instrumental ID IdentityIQ plugins, for which fixes are available.

Technical details

The web.xml file now includes two sets of file patterns under its configuration for the SailPointResponseFilter. The first is jsonPaths, a comma-separated list of filename fragments. Any web request for a file path containing any of these fragments that does not end in .json will be rejected with a 404 Not Found response. The second is ignoredJsonPaths, a sort of override that will allow access to something that matches a jsonPaths entry but is known to be fine.

The following line (972) causes the problem:

<!-- all *Query.json
     ex. /define/roles/modeler/simpleEntitlementQuery.json -->
Query.,

Plugins for jQuery tend to use filenames like jquery.pluginname.js, which (case-insensitively) matches this filename fragment.

I also posted these details to the SailPoint Developer Forums.

Affected Instrumental ID plugins

The following Instrumental ID plugins were affected by this issue. Fixes are already available to IID’s customers.

  • Shell Plugin: Breaks entirely, because it fundamentally relies on jquery.terminal.js.
  • UI Enhancer plugin: Confirmation modals that accept user input will not work.

The following plugins are NOT affected: History Plugin, CRMP, Deploy Plugin, Query Plugin, Rule Runner Plugin, Partitioned Perform Maintenance, Container Plugin, Hazelcast Plugin, and Meterator.

Workarounds

As a temporary workaround, you can alter the provided web.xml to include /jquery. (with the slash and dot) in the ignoredJsonPaths section. We don’t normally recommend altering the content of official security patches, but this would only be temporary until updated plugins can be installed.

Featured articles
SailPoint IIQ e-Fix patch IIQSR-940 and IIQ plugins
Onboarding GitLab On-Premise with SailPoint Identity Security Cloud
IIQ 8.5 and Instrumental ID software
Leveraging an Open Source Self-Service Password Manager
Enhanced ID Proofing in modern IAM
The History Plugin and IIQ’s Access History

Related articles

All articles