2025-08-04T11:45:36Z org.apache.commons commons-configuration2 cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:* pkg:maven/org.apache.commons/commons-configuration2?type=jar The Apache Software Foundation https://commons.apache.org Apache Commons PMC dev@commons.apache.org Apache Commons Security Team security@commons.apache.org CVE-2025-48924 GHSA-j288-q9x7-2f5v https://github.com/advisories/GHSA-j288-q9x7-2f5v exploitable update CVE-2025-48924 **affects** Apache Commons Configuration versions 2.4 and later, but only when **all** of the following conditions are met: * The application includes a **vulnerable version** of Commons Lang on the classpath. * The library is used to parse configuration files from **untrusted sources**. When these conditions are present, an attacker can trigger an **infinite loop** by submitting a configuration containing a `${const:...}` expression. ### Root Cause This issue stems from the use of a default `ConfigurationInterpolator`, which delegates string resolution to Commons Text’s `InterpolatorStringLookup`. This lookup is exploitable under certain conditions, as detailed in the [Commons Text VEX document](https://raw.githubusercontent.com/apache/commons-text/refs/heads/master/src/conf/security/VEX.cyclonedx.xml). ### Recommended Mitigations Projects that process untrusted configuration input should: * **Upgrade Commons Lang** to version 3.18.0 or later. * **Restrict `Lookup` classes** used by the `ConfigurationInterpolator` to safe implementations by explicitly configuring them via `Configuration.installInterpolator`. ### References * [Commons Text VEX document](https://raw.githubusercontent.com/apache/commons-text/refs/heads/master/src/conf/security/VEX.cyclonedx.xml) 2025-08-04T11:45:36Z 2025-08-04T11:45:36Z main_component =2.4|<3]]> affected Apache Commons PMC dev@commons.apache.org 2025-08-04T11:45:36Z This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons Text. # When is a dependency vulnerability exploitable? Because Apache Commons libraries do **not** bundle their dependencies, a vulnerability in a dependency is only exploitable if **both** of the following conditions are true: 1. The vulnerable dependency is included in the consuming project. 2. Apache Commons Text is explicitly listed as affected by the vulnerability. # Notes and Limitations * This VEX document is **experimental** and provided **as-is**. The semantics of this document may change in the future. * The **absence** of a vulnerability entry does **not** indicate that this component is unaffected. * If a version of Text is not listed under the `affects` section of a vulnerability, that version may still be affected or not. * Only the **latest major version** of Text is currently assessed for vulnerabilities. * The `analysis` field in the VEX file uses **Markdown** formatting.