CVE-2025-48924

NameCVE-2025-48924
DescriptionUncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4262-1, DLA-4286-1
Debian Bugs1109125, 1109126

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-lang-java (PTS)bullseye2.6-9vulnerable
bullseye (security)2.6-9+deb11u1fixed
bookworm, trixie2.6-10vulnerable
forky, sid2.6-11fixed
libcommons-lang3-java (PTS)bullseye3.11-1vulnerable
bullseye (security)3.11-1+deb11u1fixed
bookworm3.12.0-2vulnerable
trixie3.17.0-1vulnerable
forky, sid3.17.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcommons-lang-javasourcebullseye2.6-9+deb11u1DLA-4262-1
libcommons-lang-javasource(unstable)2.6-111109126
libcommons-lang3-javasourcebullseye3.11-1+deb11u1DLA-4286-1
libcommons-lang3-javasource(unstable)3.17.0-21109125

Notes

[trixie] - libcommons-lang3-java <no-dsa> (Minor issue)
[bookworm] - libcommons-lang3-java <no-dsa> (Minor issue)
[trixie] - libcommons-lang-java <no-dsa> (Minor issue)
[bookworm] - libcommons-lang-java <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2025/07/11/1
https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53 (commons-lang-3.18.0-RC1)
Search for package or bug name: Reporting problems