CVE-2025-48924

Published Jul 11, 2025

Last updated 7 months ago

CVSS medium 5.3
Database

Overview

Description
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Source
security@apache.org
NVD status
Modified
Products
commons_lang

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity
MEDIUM

Weaknesses

security@apache.org
CWE-674

Social media

Hype score
Not currently trending

  1. Just published a deep dive on the new #Mageia security advisory. MGASA-2025-0293 patches a serious flaw in Apache Commons Lang (CVE-2025-48924). Read more: 👉 https://t.co/FsJk3D3pAC #Security https://t.co/F57tAmqjy6

    @Cezar_H_Linux

    15 Nov 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CRITICAL: Patch CVE-2025-48924 in #openSUSE! Uncontrolled recursion in Apache Commons Lang3 = system-crashing DoS. Read more:👉 https://t.co/p2B8knB4oH #Security https://t.co/33tjSKupUE

    @Cezar_H_Linux

    13 Aug 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. BREAKING: CVE-2025-48924 - Apache Commons Lang3 DoS flaw patched by #SUSE (2025:02786-1) ❗ CVSS 5.7 | Recursion exploit. Read more: 👉 https://t.co/Btluj9L3OY #Security https://t.co/0SEBZwRtGB

    @Cezar_H_Linux

    13 Aug 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-48924: Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs https://t.co/oAi2Mr1xfB

    @oss_security

    11 Jul 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-48924 Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from or… https://t.co/QkkAAlpfF5

    @CVEnew

    11 Jul 2025

    213 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. BerriAI LiteLLM SQL Injection VulnerabilityCVE-2026-42208
  2. Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.CVE-2026-25243
  3. Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).CVE-2026-35229
  4. Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).CVE-2026-34279
  5. Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.CVE-2026-6553

References

Sources include official advisories and independent security research.