CVE-2025-48924

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-48924
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48924.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-48924
Aliases
Related
Published
2025-07-11T15:15:24Z
Modified
2025-07-12T01:27:15.943417Z
Downstream
Summary
[none]
Details

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

References

Affected packages

Debian:11 / libcommons-lang-java

Package

Name
libcommons-lang-java
Purl
pkg:deb/debian/libcommons-lang-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6-9
2.6-10

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / libcommons-lang-java

Package

Name
libcommons-lang-java
Purl
pkg:deb/debian/libcommons-lang-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6-10

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / libcommons-lang-java

Package

Name
libcommons-lang-java
Purl
pkg:deb/debian/libcommons-lang-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6-10

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:11 / libcommons-lang3-java

Package

Name
libcommons-lang3-java
Purl
pkg:deb/debian/libcommons-lang3-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.11-1
3.12.0-1
3.12.0-2
3.13.0-1
3.14.0-1
3.17.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / libcommons-lang3-java

Package

Name
libcommons-lang3-java
Purl
pkg:deb/debian/libcommons-lang3-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.12.0-2
3.13.0-1
3.14.0-1
3.17.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / libcommons-lang3-java

Package

Name
libcommons-lang3-java
Purl
pkg:deb/debian/libcommons-lang3-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.12.0-2
3.13.0-1
3.14.0-1
3.17.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}