6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-29133

GHSA ID

GHSA-9w38-p64v-xpmv

EPSS Score

0.58348%

CWE

CWE-787

Published

3/21/2024

Updated

2/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-29133

CVE-2024-29133: Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree

This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' calling 'ListDelimiterHandler.flatten(Object, int)' with a cyclical object tree. Users are recommended to upgrade to version 2.10.1, which fixes the issue.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-29133

GHSA ID

GHSA-9w38-p64v-xpmv

EPSS Score

0.58348%

CWE

CWE-787

Published

3/21/2024

Updated

2/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.commons:commons-configuration2	maven	>= 2.0, < 2.10.1	2.10.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from improper cycle detection in the flatten method. The original implementation added the input object to the 'dejaVu' set (for tracking visited objects) before invoking the recursive processing logic. This caused the top-level object to be marked as visited too early, bypassing proper cycle checks for its nested elements. When a cyclical object tree (e.g., a list containing itself) was processed, the recursion would not terminate, causing a StackOverflowError. The fix removed this premature addition, allowing the 'dejaVu' set to track visited objects correctly during recursion. The test cases added in the commit (e.g., testCompress840ArrayListCycle) explicitly validate() this scenario, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is Out-o*-*oun*s Writ* vuln*r**ility in *p**** *ommons *on*i*ur*tion *****ts *p**** *ommons *on*i*ur*tion: *rom *.* ***or* *.**.*. Us*r **n s** t*is *s * 'St**kOv*r*low*rror' **llin* 'List**limit*r**n*l*r.*l*tt*n(O*j**t, int)' wit* * *y*li**l o*j**

Reasoning

T** vuln*r**ility *ris*s *rom improp*r *y*l* **t**tion in t** `*l*tt*n` m*t*o*. T** ori*in*l impl*m*nt*tion ***** t** input o*j**t to t** '**j*Vu' s*t (*or tr**kin* visit** o*j**ts) ***or* invokin* t** r**ursiv* `pro**ssin*` lo*i*. T*is **us** t** to

6.5

Basic Information

Concerned about an active attack path?

CVE-2024-29133: Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI