CVE-2025-48924

EUVD-2025-21159
Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a 
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA-ADPADP
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
apachecommons_lang
2.0 ≤
𝑥
< 2.6
apachecommons_lang
3.0 ≤
𝑥
< 3.18.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcommons-lang-java
bookworm
2.6-10+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
2.6-9+deb11u2
fixed
forky
2.6-12
fixed
sid
2.6-12
fixed
trixie
2.6-10+deb13u1
fixed
libcommons-lang3-java
bookworm
3.12.0-2+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
3.11-1+deb11u2
fixed
forky
3.17.0-2
fixed
sid
3.17.0-2
fixed
trixie
3.17.0-1+deb13u1
fixed
Common Weakness Enumeration
References
https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1
http://www.openwall.com/lists/oss-security/2025/07/11/1
https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html
https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html
https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html
https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html