CVE-2025-48924

low-risk

Published 2025-07-11

Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Do I need to act?

-

0.04% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

5

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Commons Lang

Affected Vendors

Apache

References (6)

Mailing List https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1

http://www.openwall.com/lists/oss-security/2025/07/11/1

https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html

https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html

https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html

https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html

26

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal