Fluid Attacks Database

Description

Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	libcommons-lang-java	=2.6-10 \|\| >=0 <2.6-11	2.6-11
maven	org.apache.commons:commons-lang3	>=3.0 <3.18.0	3.18.0
maven	commons-lang:commons-lang	>=2.0 <=2.6	-
debian 11	libcommons-lang-java	=2.6-9 \|\| >=0 <2.6-9+deb11u1	2.6-9+deb11u1
debian 12	libcommons-lang-java	=2.6-10 \|\| >=0 <2.6-10+deb12u1	2.6-10+deb12u1
debian 13	libcommons-lang-java	=2.6-10 \|\| >=0 <2.6-10+deb13u1	2.6-10+deb13u1
debian 11	libcommons-lang3-java	=3.11-1 \|\| >=0 <3.11-1+deb11u1	3.11-1+deb11u1
debian 12	libcommons-lang3-java	=3.12.0-2 \|\| >=0 <3.12.0-2+deb12u1	3.12.0-2+deb12u1
debian 13	libcommons-lang3-java	=3.17.0-1 \|\| >=0 <3.17.0-1+deb13u1	3.17.0-1+deb13u1
debian 14	libcommons-lang3-java	=3.17.0-1 \|\| >=0 <3.17.0-2	3.17.0-2

1-10 of 59

Aliases

1. CVE-2025-489242. NVD-2025-489243. OSV-DEBIAN-2025-489244. OSV-2025-489245. GCVE-2025-489246. SECURITY-TRACKER-CVE-2025-489247. lists.debian.org8. lists.debian.org9. lists.debian.org10. lists.debian.org

References

1. https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca532. https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g13. http://www.openwall.com/lists/oss-security/2025/07/11/1