Menu

#175 Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable

Next Release (example)
open
Scott Conway
None
1
5 days ago
6 days ago
Peter Penzov
No

In version com.opencsv:opencsv:5.12.0 there is dependency:

Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable

I get warning CVE-2025-48924
5.3
Transitive Insufficient Information

Any plans to update library version?

Discussion

  • Scott Conway

    Scott Conway - 6 days ago

    Hello Peter

    What version opencsv are you using? The latest release version 5.12.0 uses 3.18.0

    https://central.sonatype.com/artifact/com.opencsv/opencsv/dependencies

    Please let me know if there are any issues with that version of commons-lang3. If so the current snapshot version uses 3.20.0 but have not released it yet because all it has is dependency updates.

     

  • Peter Penzov

    Peter Penzov - 6 days ago

    I use com.opencsv:opencsv:5.12.0

    In Intellij I see this warning:

    Dependency maven:org.apache.commons:commons-lang3:3.17.0 is vulnerable

Update to unaffected version 3.18.0

CVE-2025-48924,  Score: 5.3

Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
 Mend Note: The description of this vulnerability differs from MITRE.

Read More: https://www.mend.io/vulnerability-database/CVE-2025-48924?utm_source=Jetbrains

Results powered by Mend.io
     

  • Scott Conway

    Scott Conway - 5 days ago

    Sorry Peter this must be an issue on the build on your project. Because 5.12.0 does use commons-lang3 3.18.0 as you can see from https://central.sonatype.com/artifact/com.opencsv/opencsv/dependencies.

    If you use maven to build your projects (and I apologize I do not know enough about gradles to know the equivalent off hand) run the following on your project:

    mvn dependency:tree

    and from what you are telling me it should show 3.17 instead of 3.18. This is because another dependency pulled in 3.17.0 as a transitive dependency. If so then run

    mvn dependency:tree -Dverbose

    and that will show you which dependency is pulling commons-lang3 3.17.0.

    To fix the issue you neeed to add a dependencyManagement section in your pom.xml file. 

        <dependencyManagement>
        <dependencies>
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
                 <version>3.18.0</version>
              </dependency>
            </dependencies>
    </dependencyManagement>

    And that is maven's way of saying "I am not telling you to use commons-lang3 but if you do you will use version 3.18.0.

     

Log in to post a comment.

MongoDB Logo MongoDB
Gen AI apps are built with MongoDB Atlas
Atlas offers built-in vector search and global availability across 125+ regions. Start building AI apps faster, all in one place.
Try Free →