CVE-2025-48924: CWE-674 Uncontrolled Recursion in Apache Software Foundation Apache Commons Lang
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.
AI Analysis
Technical Summary
CVE-2025-48924 is a medium-severity vulnerability affecting the Apache Commons Lang library, specifically versions from 2.0 up to 2.6 and versions 3.0 up to before 3.18.0. The vulnerability arises from uncontrolled recursion in the ClassUtils.getClass(...) methods, which can lead to a StackOverflowError when processing very long input strings. Since StackOverflowError is a subclass of java.lang.Error, it is typically not caught or handled by applications or libraries, resulting in the abrupt termination of the affected Java application. This uncontrolled recursion flaw is categorized under CWE-674 (Uncontrolled Recursion). The impact is limited to availability, as the vulnerability does not compromise confidentiality or integrity but can cause denial of service by crashing the application. The vulnerability is remotely exploitable without authentication or user interaction, as it can be triggered by passing crafted inputs to the vulnerable method. The Apache Software Foundation has addressed this issue in version 3.18.0 of Apache Commons Lang, and users are strongly advised to upgrade to this or later versions to mitigate the risk. No known exploits are currently reported in the wild, but the ease of triggering a StackOverflowError makes it a potential vector for denial-of-service attacks in environments using the affected library versions.
Potential Impact
For European organizations, the primary impact of CVE-2025-48924 is the risk of denial-of-service conditions in Java applications that depend on vulnerable versions of Apache Commons Lang. This library is widely used in enterprise Java applications, middleware, and frameworks across various sectors including finance, telecommunications, government, and healthcare. An attacker could exploit this vulnerability by sending specially crafted inputs to services that utilize the vulnerable ClassUtils.getClass(...) method, causing application crashes and service interruptions. This could disrupt critical business operations, degrade service availability, and potentially lead to reputational damage. While the vulnerability does not directly expose sensitive data or allow unauthorized code execution, the resulting downtime could indirectly affect compliance with European regulations such as GDPR if service disruptions impact data processing or availability. Organizations relying on legacy Java applications or third-party software components that embed vulnerable versions are particularly at risk.
Mitigation Recommendations
To mitigate CVE-2025-48924, European organizations should: 1) Identify all applications and services that use Apache Commons Lang versions 2.0 to 2.6 or 3.0 up to before 3.18.0, including transitive dependencies in their software supply chain. 2) Upgrade all affected instances to Apache Commons Lang version 3.18.0 or later, which contains the fix for uncontrolled recursion. 3) Where immediate upgrade is not feasible, implement input validation and length checks on inputs passed to ClassUtils.getClass(...) to prevent excessively long strings that could trigger recursion. 4) Employ runtime monitoring and alerting for unexpected application crashes or StackOverflowError occurrences to detect exploitation attempts early. 5) Review and update software development and deployment policies to ensure timely patching of third-party libraries and dependencies. 6) Conduct thorough regression testing post-upgrade to ensure stability and compatibility.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2025-48924: CWE-674 Uncontrolled Recursion in Apache Software Foundation Apache Commons Lang
Description
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-48924 is a medium-severity vulnerability affecting the Apache Commons Lang library, specifically versions from 2.0 up to 2.6 and versions 3.0 up to before 3.18.0. The vulnerability arises from uncontrolled recursion in the ClassUtils.getClass(...) methods, which can lead to a StackOverflowError when processing very long input strings. Since StackOverflowError is a subclass of java.lang.Error, it is typically not caught or handled by applications or libraries, resulting in the abrupt termination of the affected Java application. This uncontrolled recursion flaw is categorized under CWE-674 (Uncontrolled Recursion). The impact is limited to availability, as the vulnerability does not compromise confidentiality or integrity but can cause denial of service by crashing the application. The vulnerability is remotely exploitable without authentication or user interaction, as it can be triggered by passing crafted inputs to the vulnerable method. The Apache Software Foundation has addressed this issue in version 3.18.0 of Apache Commons Lang, and users are strongly advised to upgrade to this or later versions to mitigate the risk. No known exploits are currently reported in the wild, but the ease of triggering a StackOverflowError makes it a potential vector for denial-of-service attacks in environments using the affected library versions.
Potential Impact
For European organizations, the primary impact of CVE-2025-48924 is the risk of denial-of-service conditions in Java applications that depend on vulnerable versions of Apache Commons Lang. This library is widely used in enterprise Java applications, middleware, and frameworks across various sectors including finance, telecommunications, government, and healthcare. An attacker could exploit this vulnerability by sending specially crafted inputs to services that utilize the vulnerable ClassUtils.getClass(...) method, causing application crashes and service interruptions. This could disrupt critical business operations, degrade service availability, and potentially lead to reputational damage. While the vulnerability does not directly expose sensitive data or allow unauthorized code execution, the resulting downtime could indirectly affect compliance with European regulations such as GDPR if service disruptions impact data processing or availability. Organizations relying on legacy Java applications or third-party software components that embed vulnerable versions are particularly at risk.
Mitigation Recommendations
To mitigate CVE-2025-48924, European organizations should: 1) Identify all applications and services that use Apache Commons Lang versions 2.0 to 2.6 or 3.0 up to before 3.18.0, including transitive dependencies in their software supply chain. 2) Upgrade all affected instances to Apache Commons Lang version 3.18.0 or later, which contains the fix for uncontrolled recursion. 3) Where immediate upgrade is not feasible, implement input validation and length checks on inputs passed to ClassUtils.getClass(...) to prevent excessively long strings that could trigger recursion. 4) Employ runtime monitoring and alerting for unexpected application crashes or StackOverflowError occurrences to detect exploitation attempts early. 5) Review and update software development and deployment policies to ensure timely patching of third-party libraries and dependencies. 6) Conduct thorough regression testing post-upgrade to ensure stability and compatibility.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- apache
- Date Reserved
- 2025-05-28T15:06:51.476Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 68712732a83201eaacaf3f8f
Added to database: 7/11/2025, 3:01:06 PM
Last enriched: 7/18/2025, 9:15:33 PM
Last updated: 8/18/2025, 5:59:36 PM
Views: 95
Related Threats
CVE-2025-9361: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9360: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9359: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9358: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-5352: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in lunary-ai lunary-ai/lunary
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.