Update dependency org.apache.commons:commons-lang3 to v3.18.0 [SECURITY]#99
Conversation
SummaryThis PR updates Apache Commons Lang from 3.17.0 to 3.18.0 to fix CVE-2025-48924, a medium-severity uncontrolled recursion vulnerability in What reviewers should knowScope: This is a contained dependency update affecting only the pom.xml file. No code logic changes in this repository. What to verify:
Build verification: Ensure Maven builds successfully with the new version and that any CI checks pass.
|
|
Renovate Jira issue ID: JAVASE-213 |
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
There was a problem hiding this comment.
Clean security update. Both version pins are correctly bumped to 3.18.0, and the APIs this project actually uses (StringUtils, EqualsBuilder, HashCodeBuilder) are unaffected by CVE-2025-48924 — the vulnerability is in ClassUtils.getClass(), which is never imported here. One structural issue noted inline.
| <dependency> | ||
| <groupId>org.apache.commons</groupId> | ||
| <artifactId>commons-lang3</artifactId> | ||
| <version>3.12.0</version> | ||
| <version>3.18.0</version> |
There was a problem hiding this comment.
This module inherits from the root BOM (via java-se → sonar-java-symbolic-execution) which already manages commons-lang3. The explicit <version> here is what caused this module to drift to 3.12.0 while the BOM was already at 3.17.0, requiring Renovate to update two separate places.
Dropping the <version> tag lets the BOM control the version, while <scope>provided</scope> can stay to preserve compile-time-only behaviour:
| <dependency> | |
| <groupId>org.apache.commons</groupId> | |
| <artifactId>commons-lang3</artifactId> | |
| <version>3.12.0</version> | |
| <version>3.18.0</version> | |
| <dependency> | |
| <groupId>org.apache.commons</groupId> | |
| <artifactId>commons-lang3</artifactId> | |
| <scope>provided</scope> | |
| </dependency> |
- Mark as noise
dorian-burihabwa-sonarsource
force-pushed
the
renovate/maven-org.apache.commons-commons-lang3-vulnerability
branch
from
a5ccb5f to
4e93cb1
Compare
There was a problem hiding this comment.
The prior issue flagged on java-symbolic-execution-checks-test-sources/pom.xml is still open: that module explicitly pins commons-lang3 at 3.12.0, overriding the root BOM and leaving it on a vulnerable version even after this PR. The other two consumers (java-symbolic-execution-plugin and its/ruling) correctly inherit from the BOM and will pick up 3.18.0.
|
dorian-burihabwa-sonarsource
deleted the
renovate/maven-org.apache.commons-commons-lang3-vulnerability
branch
1 participant
This PR contains the following updates:
3.12.0→3.18.03.17.0→3.18.0Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs
CVE-2025-48924 / GHSA-j288-q9x7-2f5v
More information
Details
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.