2025-08-04T11:45:36Z org.apache.commons commons-text cpe:2.3:a:apache:commons_text:*:*:*:*:*:*:*:* pkg:maven/org.apache.commons/commons-text?type=jar The Apache Software Foundation https://commons.apache.org Apache Commons PMC dev@commons.apache.org Apache Commons Security Team security@commons.apache.org CVE-2025-48924 GHSA-j288-q9x7-2f5v https://github.com/advisories/GHSA-j288-q9x7-2f5v exploitable update CVE-2025-48924 is exploitable in Apache Commons Text versions 1.5 and later, but only when all the following conditions are met: * The consuming project includes a vulnerable version of Commons Lang on the classpath. As of version `1.14.1`, Commons Text no longer references a vulnerable version of the `commons-lang3` library in its POM file. * Unvalidated or unsanitized user input is passed to the `StringSubstitutor` or `StringLookup` classes. * An interpolator lookup created via `StringLookupFactory.interpolatorLookup()` is used. If these conditions are satisfied, an attacker may cause an infinite loop by submitting a specially crafted input such as `${const:...}`. 2025-07-29T12:26:42Z 2025-07-29T12:26:42Z main_component =1.5|<2]]> affected Apache Commons PMC dev@commons.apache.org 2025-07-29T12:26:42Z This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons Text. # When is a dependency vulnerability exploitable? Because Apache Commons libraries do **not** bundle their dependencies, a vulnerability in a dependency is only exploitable if **both** of the following conditions are true: 1. The vulnerable dependency is included in the consuming project. 2. Apache Commons Text is explicitly listed as affected by the vulnerability. # Notes and Limitations * This VEX document is **experimental** and provided **as-is**. The semantics of this document may change in the future. * The **absence** of a vulnerability entry does **not** indicate that Text is unaffected. * If a version of Text is not listed under the `affects` section of a vulnerability, that version may still be affected or not. * Only the **latest major version** of Text is currently assessed for vulnerabilities. * The `analysis` field in the VEX file uses **Markdown** formatting.