6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-46392

GHSA ID

GHSA-pvp8-3xj6-8c6x

EPSS Score

0.14848%

CWE

CWE-400

Published

5/9/2025

Updated

5/9/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46392

CVE-2025-46392: Apache Commons Configuration Uncontrolled Resource Consumption

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x.

There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenarios where you only load trusted configurations.

Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-46392

GHSA ID

GHSA-pvp8-3xj6-8c6x

EPSS Score

0.14848%

CWE

CWE-400

Published

5/9/2025

Updated

5/9/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
commons-configuration:commons-configuration	maven	<= 1.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described (GHSA-pvp8-3xj6-8c6x, CVE-2025-46392) is an 'Uncontrolled Resource Consumption' issue in Apache Commons Configuration 1.x. According to the advisory, 'The Apache Commons Configuration team does not intend to fix these issues in 1.x.' Instead, users are advised to upgrade to version 2.x. Since there are no security patches for this specific vulnerability in the 1.x version range, it is not possible to identify vulnerable functions based on patch analysis as per the task requirements. The commit information provided is empty. The referenced CVEs (CVE-2024-29131, CVE-2024-29133) pertain to Apache Commons Configuration 2.x and address 'Out-of-bounds Write' vulnerabilities, which are different from the described 1.x issue and its resolution (or lack thereof via patching). Therefore, without specific patches for the 1.x 'Uncontrolled Resource Consumption' vulnerability, no functions can be identified through the requested patch analysis methodology.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Un*ontroll** R*sour** *onsumption vuln*r**ility in *p**** *ommons *on*i*ur*tion *.x. T**r* *r* * num**r o* issu*s in *p**** *ommons *on*i*ur*tion *.x t**t *llow *x**ssiv* r*sour** *onsumption w**n lo**in* untrust** *on*i*ur*tions or usin* un*xp**t**

Reasoning

T** vuln*r**ility **s*ri*** (**S*-pvp*-*xj*-***x, *V*-****-*****) is *n 'Un*ontroll** R*sour** *onsumption' issu* in `*p**** *ommons *on*i*ur*tion` *.x. ***or*in* to t** **visory, 'T** *p**** *ommons *on*i*ur*tion t**m *o*s not int*n* to *ix t**s* is

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-46392: Apache Commons Configuration Uncontrolled Resource Consumption

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI