CVE-2025-48924:
Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.0587%
CWE
Published
7/11/2025
Updated
7/12/2025
KEV Status
No
Technology
Java
JavaTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.commons:commons-lang3 | maven | >= 3.0, < 3.18.0 | 3.18.0 |
| commons-lang:commons-lang | maven | >= 2.0, <= 2.6 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The analysis of the provided commit patch directly points to the org.apache.commons.lang3.ClassUtils.getClass method as the source of the uncontrolled recursion vulnerability. The patch explicitly removes the recursive call within the method and replaces it with an iterative do-while loop. The commit message, "Rewrite ClassUtils.getClass() without recursion to avoid StackOverflowError on very long inputs," further confirms this. The vulnerability is triggered when a long string containing numerous package separators is passed to the method, leading to excessive recursive calls that exhaust the call stack and result in a StackOverflowError, which can cause a denial of service.
Vulnerable functions
org.apache.commons.lang3.ClassUtils.getClasssrc/main/java/org/apache/commons/lang3/ClassUtils.java
The vulnerability lies in the recursive nature of the `getClass` method. When a class name with many package separators ('.') is provided, the method recursively calls itself after replacing the last separator with an inner class separator ('$'). This can lead to a `StackOverflowError` for very long, specially crafted class names, causing the application to terminate.