-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.commons:commons-configuration2 | maven | >= 2.0, < 2.10.1 | 2.10.1 |
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability arises from improper cycle detection in the flatten method. The original implementation added the input object to the 'dejaVu' set (for tracking visited objects) before invoking the recursive processing logic. This caused the top-level object to be marked as visited too early, bypassing proper cycle checks for its nested elements. When a cyclical object tree (e.g., a list containing itself) was processed, the recursion would not terminate, causing a StackOverflowError. The fix removed this premature addition, allowing the 'dejaVu' set to track visited objects correctly during recursion. The test cases added in the commit (e.g., testCompress840ArrayListCycle) explicitly validate() this scenario, confirming the function's role in the vulnerability.
Ongoing coverage of React2Shell