VDB
CISA-2025-48924
CISA-2025-48924
PUBLISHED
CVSS 5.3 MEDIUM
Reported by apache · Published July 11, 2025
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Risk Scores
CVSS 3.1
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache Software Foundation | Apache Commons Lang | 2.0 |
| Apache Software Foundation | Apache Commons Lang | 3.0 |
| Apache Software Foundation | Apache Commons Lang | 2.0, 2.0 |
| Apache Software Foundation | Apache Commons Lang | 3.0, 3.0 |
Timeline
- Jul 11, 2025 CVE Published
- Nov 4, 2025 CVE Updated
References
- vendor-advisory
- https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html url
- https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html url
- https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html url
- http://www.openwall.com/lists/oss-security/2025/07/11/1 url
- https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html url