#VU113607 Uncontrolled Recursion in Apache Commons Lang - CVE-2025-48924
Vulnerability identifier: #VU113607
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-674
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Commons Lang
Universal components / Libraries /
Software for developers
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. A remote attacker can trigger uncontrolled recursion and perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Commons Lang: 2.0 - 3.17.0
External links
https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
