CVE-2025-48924: Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs

July 11, 2025 (updated July 12, 2025)

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(…) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

References

github.com/advisories/GHSA-j288-q9x7-2f5v
github.com/apache/commons-lang
github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53
lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1
nvd.nist.gov/vuln/detail/CVE-2025-48924

Code Behaviors & Features

Detect and mitigate CVE-2025-48924 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →