|
Vulnerabilities
< Back

CVE-2025-48924

Updated on 11 Jul 2025

Severity

5.3 Medium severity

Details

CVSS score
5.3
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(…) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Details

Affected product:
AlmaLinux 9.2 ESU , Apache CXF , Apache Commons , Apache Commons Lang , Apache Hadoop , Apache Hive , Apache Kafka , Apache Log4j , Apache Lucene , Apache Maven , Apache Solr , Apache Spark , Apache Struts , Apache Tapestry , Apache Velocity , Eclipse Jetty , Hibernate , Plexus , Spring , TuxCare 9.6 ESU , Wildfly , acegi-security , activemq , agepredictor , amazon-kinesis-client , api-ldap-model , artemis , artemis-cli , avro , azure-storage-java , bookkeeper-common-allocator , bookkeeper-server , camel , castor , cocoon , consul-client , creadur-rat , db-ojb , digitalocean-api-java , directory-ldap-api , directory-server , docker-java , docx4j , doxia-site-renderer , dozer , elasticsearch , ews-java-api , excel-streaming-reader , fastexcel , flink , flume-ng-core , flume-ng-sdk , gradle , hapi-fhir , htmlunit , ical4j , iota-java , ironjacamar , jackrabbit , jasperreports , java-driver , java-opensaml , jsendnsca , json-schema-validator , karaf , kotlin , libfb303 , logging-flume , maven , myfaces , neo4j-ogm , olingo-odata4 , opensaml-saml-impl , optaplanner , orc , orc-core , org.apache.karaf.features.core , org.ops4j.pax.url , pax-url-aether , poi , pulsar , pulsar-client-all , pulsar-package-core , quickfixj , ribbon , swagger-core , swagger-integration , swagger-jaxrs , swagger-jaxrs2 , swagger-parser , thrift , tika , tinkerpop , webdrivermanager , wildfly , ws-wss4j , xchange
Affected packages:
artemis @ 2.26.0 (+14348 more)

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(…) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Fixes