Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please...
Brought to you by:
aruckerjones,
sconway
Menu
▾
▴
#130 Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0
Hi, just a heads-up that the transitive dependency org.apache.commons:commons-lang3 pulled in by opencsv is currently pinned to version 3.17.0, which is affected by CVE-2025-48924 (CVSS 5.3).
The vulnerability involves uncontrolled recursion in ClassUtils.getClass(...), which can throw a StackOverflowError on very long inputs and potentially cause the application to stop. The fix was introduced in version 3.18.0.
Would it be possible to upgrade this dependency to 3.20.0 (current latest)? Thanks for maintaining opencsv!
Reference: https://www.mend.io/vulnerability-database/CVE-2025-48924
Hello Laurent.
Make sure you are using version 5.12.0 as that is using 3.18.0. If you are using 5.12.0 then look at https://sourceforge.net/p/opencsv/feature-requests/175/ for possible solution.
The snapshot version does use 3.20.0 but it is just dependency updates thus far so there has not been a reason to update. Here again if you want to force 3.20.0 then look at the above feature request for the solution.
Hope that helps.
Scott Conway :)
Hi Scott.
Indeed, I don't know how I missed that. Seems I'm having the same issue described in that other ticket.
Sorry for the dup. I'll be more careful in the future.
No worries - I cannot count the number of times I have been personally burned by overriding transitive dependencies and so I am not surprised when I get a couple of these tickets every year. I was just surprised that I had two this close together.
Scott :)
On my end, the reason I didn't question this is I wasn't expecting spring-boot to not be using the latest version. They decided not the backport the change to the 3.5 branch
if you're curious: https://github.com/spring-projects/spring-boot/issues/46437
Also IntelliJ's dependency analyser doesn't tell me that the version is coming from spring-boot pining that version.
Anyway thanks, problem solved ;)