CVE-2025-48924 Overview
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Critical Impact
Affects web applications and services relying on Apache Commons Lang for class loading, leading to potential service disruptions.
Affected Products
- apache commons_lang
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to apache
- Not Available - CVE CVE-2025-48924 assigned
- Not Available - apache releases security patch
- 2025-07-11T15:15:24.347 - CVE CVE-2025-48924 published to NVD
- 2025-11-04T22:16:17.823 - Last updated in NVD database
Technical Details for CVE-2025-48924
Vulnerability Analysis
The vulnerability results from an uncontrolled recursion in the ClassUtils.getClass(...) method. When processing deeply nested class names, the method may lead to a StackOverflowError. This error is generally unhandled, which can cause software relying on Apache Commons Lang to terminate unexpectedly.
Root Cause
The root cause is the lack of input length checks in ClassUtils.getClass(...), which leads to potential recursive calls exceeding the stack limit.
Attack Vector
The attack vector is network-based, where an attacker may send specially crafted class names to a vulnerable application utilizing this library.
// Example exploitation code (sanitized)
try {
ClassUtils.getClass("a.a.a.a.a.a.a... (very long input string)");
} catch (StackOverflowError e) {
System.err.println("Potential denial of service detected.");
}
Detection Methods for CVE-2025-48924
Indicators of Compromise
- Unexpected application crashes
- StackOverflowError logged in system records
- High CPU usage leading to service disruption
Detection Strategies
Implement monitoring to detect sudden increases in CPU usage and stack overflow-related error messages in logs. Additionally, review application logs for unexpected terminations.
Monitoring Recommendations
Use application performance monitoring tools to track CPU utilization and set alerts for stack overflow errors. Ensure logging is enabled for exceptions and errors, focusing on patterns related to class loading.
How to Mitigate CVE-2025-48924
Immediate Actions Required
- Upgrade to org.apache.commons:commons-lang3 version 3.18.0 or later
- Monitor application logs for stack overflows
- Implement input validation to limit class name lengths
Patch Information
Patches are available starting from org.apache.commons:commons-lang3 version 3.18.0. The vendor advisory can be found here.
Workarounds
Currently, upgrading to the latest fixed version is recommended. As a workaround, set a manual limit on the length of class names passed to ClassUtils.getClass(...).
# Configuration example to restrict class name input length
INPUT_MAX_LENGTH=256
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
