CVE-2025-48924: Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs
(updated )
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(…) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
References
- github.com/advisories/GHSA-j288-q9x7-2f5v
- github.com/apache/commons-lang
- github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53
- lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1
- lists.debian.org/debian-lts-announce/2025/08/msg00000.html
- lists.debian.org/debian-lts-announce/2025/08/msg00026.html
- lists.debian.org/debian-lts-announce/2025/09/msg00032.html
- lists.debian.org/debian-lts-announce/2025/09/msg00036.html
- nvd.nist.gov/vuln/detail/CVE-2025-48924
Code Behaviors & Features
Detect and mitigate CVE-2025-48924 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →