CVE-2024-47554: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader

October 3, 2024 (updated January 31, 2025)

Uncontrolled Resource Consumption vulnerability in Apache Commons IO.

The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.

This issue affects Apache Commons IO: from 2.0 before 2.14.0.

Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

References

github.com/advisories/GHSA-78wr-2p64-hpwj
github.com/apache/commons-io
lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1
nvd.nist.gov/vuln/detail/CVE-2024-47554
security.netapp.com/advisory/ntap-20250131-0010

Detect and mitigate CVE-2024-47554 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →