Skip to main content

CVE-2025-48924: CWE-674 Uncontrolled Recursion in Apache Software Foundation Apache Commons Lang

Medium
VulnerabilityCVE-2025-48924cvecve-2025-48924cwe-674
Published: Fri Jul 11 2025 (07/11/2025, 14:56:58 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Commons Lang

Description

Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

AI-Powered Analysis

AILast updated: 07/18/2025, 21:15:33 UTC

Technical Analysis

CVE-2025-48924 is a medium-severity vulnerability affecting the Apache Commons Lang library, specifically versions from 2.0 up to 2.6 and versions 3.0 up to before 3.18.0. The vulnerability arises from uncontrolled recursion in the ClassUtils.getClass(...) methods, which can lead to a StackOverflowError when processing very long input strings. Since StackOverflowError is a subclass of java.lang.Error, it is typically not caught or handled by applications or libraries, resulting in the abrupt termination of the affected Java application. This uncontrolled recursion flaw is categorized under CWE-674 (Uncontrolled Recursion). The impact is limited to availability, as the vulnerability does not compromise confidentiality or integrity but can cause denial of service by crashing the application. The vulnerability is remotely exploitable without authentication or user interaction, as it can be triggered by passing crafted inputs to the vulnerable method. The Apache Software Foundation has addressed this issue in version 3.18.0 of Apache Commons Lang, and users are strongly advised to upgrade to this or later versions to mitigate the risk. No known exploits are currently reported in the wild, but the ease of triggering a StackOverflowError makes it a potential vector for denial-of-service attacks in environments using the affected library versions.

Potential Impact

For European organizations, the primary impact of CVE-2025-48924 is the risk of denial-of-service conditions in Java applications that depend on vulnerable versions of Apache Commons Lang. This library is widely used in enterprise Java applications, middleware, and frameworks across various sectors including finance, telecommunications, government, and healthcare. An attacker could exploit this vulnerability by sending specially crafted inputs to services that utilize the vulnerable ClassUtils.getClass(...) method, causing application crashes and service interruptions. This could disrupt critical business operations, degrade service availability, and potentially lead to reputational damage. While the vulnerability does not directly expose sensitive data or allow unauthorized code execution, the resulting downtime could indirectly affect compliance with European regulations such as GDPR if service disruptions impact data processing or availability. Organizations relying on legacy Java applications or third-party software components that embed vulnerable versions are particularly at risk.

Mitigation Recommendations

To mitigate CVE-2025-48924, European organizations should: 1) Identify all applications and services that use Apache Commons Lang versions 2.0 to 2.6 or 3.0 up to before 3.18.0, including transitive dependencies in their software supply chain. 2) Upgrade all affected instances to Apache Commons Lang version 3.18.0 or later, which contains the fix for uncontrolled recursion. 3) Where immediate upgrade is not feasible, implement input validation and length checks on inputs passed to ClassUtils.getClass(...) to prevent excessively long strings that could trigger recursion. 4) Employ runtime monitoring and alerting for unexpected application crashes or StackOverflowError occurrences to detect exploitation attempts early. 5) Review and update software development and deployment policies to ensure timely patching of third-party libraries and dependencies. 6) Conduct thorough regression testing post-upgrade to ensure stability and compatibility.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
apache
Date Reserved
2025-05-28T15:06:51.476Z
Cvss Version
null
State
PUBLISHED

Threat ID: 68712732a83201eaacaf3f8f

Added to database: 7/11/2025, 3:01:06 PM

Last enriched: 7/18/2025, 9:15:33 PM

Last updated: 8/18/2025, 5:59:36 PM

Views: 95

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats