VDB
DEBIAN-CVE-2025-48924
DEBIAN-CVE-2025-48924
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | libcommons-lang3-java | 0, 3.17.0-1, 0 |
| Debian:11 | libcommons-lang3-java | 0, 3.11-1, 0 |
| Debian:13 | libcommons-lang3-java | 3.17.0-1, 3.17.0-1, 0 |
| Debian:14 | libcommons-lang-java | 2.6-10, 0, 0 |
| Debian:13 | libcommons-lang-java | 0, 0, 2.6-10 |
| Debian:12 | libcommons-lang-java | 2.6-10, 0, 2.6-10 |
| Debian:11 | libcommons-lang-java | 2.6-9, 0, 2.6-9 |
| Debian:12 | libcommons-lang3-java | 3.12.0-2, 0, 0 |
Exploit Intelligence
- Apache's commons-lang2 v2.6 with a backported fix for CVE-2025-48924 (github-poc)
- pom-common.xml (github-poc)
- VulnerableDependencies.kt (github-poc)
- EncryptionUtil.java (github-poc)
- druid-612f0710.json (github-poc)
- dockerscan.yml (github-poc)
- owasp-suppressions-pending.xml (github-poc)
- pom.xml (github-poc)
- pom.xml (github-poc)
- dependencyCheckSuppression.xml (github-poc)
…and 3 more exploits
Timeline
- Jul 11, 2025 CVE Published
- Apr 28, 2026 CVE Updated