|
Vulnerabilities
< Back

CVE-2025-48924

Updated on 11 Jul 2025

Severity

5.3 Medium severity

Details

CVSS score
5.3
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(…) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Details

Affected product:
Apache CXF , Apache Commons , Apache Commons Lang , Apache Hadoop , Apache Hive , Apache Kafka , Apache Lucene , Apache Maven , Apache Spark , Apache Struts , Apache Tapestry , Apache Velocity , Eclipse Jetty , Hibernate , Plexus , Spring , Wildfly , acegi-security , activemq , agepredictor , amazon-kinesis-client , api-ldap-model , artemis , artemis-cli , avro , azure-storage-java , bookkeeper-common-allocator , bookkeeper-server , cocoon , creadur-rat , cxf , db-ojb , directory-ldap-api , directory-server , doxia-site-renderer , elasticsearch , flume-ng-core , flume-ng-sdk , gradle , htmlunit , jackrabbit , java-driver , java-opensaml , json-schema-validator , karaf , kotlin , libfb303 , logging-flume , logging-log4j2 , lucene , maven , myfaces , opensaml-saml-impl , orc , orc-core , org.apache.karaf.features.core , org.ops4j.pax.url , pax-url-aether , pulsar , pulsar-client-all , pulsar-package-core , solr , swagger-core , swagger-integration , swagger-jaxrs , swagger-jaxrs2 , thrift , tika , tinkerpop , webdrivermanager , wildfly , ws-wss4j
Affected packages:
hive-metastore @ 2.3.9 (+4825 more)

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(…) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Fixes