SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-48924

CVE-2025-48924: Apache Commons Lang DOS Vulnerability

CVE-2025-48924 is a denial of service vulnerability in Apache Commons Lang caused by uncontrolled recursion. The ClassUtils.getClass methods can trigger StackOverflowError on long inputs, halting applications unexpectedly.

Updated:

CVE-2025-48924 Overview

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Critical Impact

Affects web applications and services relying on Apache Commons Lang for class loading, leading to potential service disruptions.

Affected Products

  • apache commons_lang

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to apache
  • Not Available - CVE CVE-2025-48924 assigned
  • Not Available - apache releases security patch
  • 2025-07-11T15:15:24.347 - CVE CVE-2025-48924 published to NVD
  • 2025-11-04T22:16:17.823 - Last updated in NVD database

Technical Details for CVE-2025-48924

Vulnerability Analysis

The vulnerability results from an uncontrolled recursion in the ClassUtils.getClass(...) method. When processing deeply nested class names, the method may lead to a StackOverflowError. This error is generally unhandled, which can cause software relying on Apache Commons Lang to terminate unexpectedly.

Root Cause

The root cause is the lack of input length checks in ClassUtils.getClass(...), which leads to potential recursive calls exceeding the stack limit.

Attack Vector

The attack vector is network-based, where an attacker may send specially crafted class names to a vulnerable application utilizing this library.

java
// Example exploitation code (sanitized)
try {
    ClassUtils.getClass("a.a.a.a.a.a.a... (very long input string)");
} catch (StackOverflowError e) {
    System.err.println("Potential denial of service detected.");
}

Detection Methods for CVE-2025-48924

Indicators of Compromise

  • Unexpected application crashes
  • StackOverflowError logged in system records
  • High CPU usage leading to service disruption

Detection Strategies

Implement monitoring to detect sudden increases in CPU usage and stack overflow-related error messages in logs. Additionally, review application logs for unexpected terminations.

Monitoring Recommendations

Use application performance monitoring tools to track CPU utilization and set alerts for stack overflow errors. Ensure logging is enabled for exceptions and errors, focusing on patterns related to class loading.

How to Mitigate CVE-2025-48924

Immediate Actions Required

  • Upgrade to org.apache.commons:commons-lang3 version 3.18.0 or later
  • Monitor application logs for stack overflows
  • Implement input validation to limit class name lengths

Patch Information

Patches are available starting from org.apache.commons:commons-lang3 version 3.18.0. The vendor advisory can be found here.

Workarounds

Currently, upgrading to the latest fixed version is recommended. As a workaround, set a manual limit on the length of class names passed to ClassUtils.getClass(...).

bash
# Configuration example to restrict class name input length
INPUT_MAX_LENGTH=256

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne