commons-lang-2.6.jar: 2 vulnerabilities (highest severity is: 9.8) [master] (reachable) #35
Description
📂 Vulnerable Library - commons-lang-2.6.jar
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-842749-413332 | 🟣 Critical | 9.8 | N/A | N/A | commons-lang-2.6.jar | Direct | N/A | ❌ | |
| CVE-2025-48924 | 🟠 Medium | 6.9 | Not Defined | < 1% | commons-lang-2.6.jar | Direct | N/A | ❌ |
Details
🟣CVE-842749-413332
Vulnerable Library - commons-lang-2.6.jar
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
Dependency Hierarchy:
- ❌ commons-lang-2.6.jar (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-842749-413332
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-48924
Vulnerable Library - commons-lang-2.6.jar
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
Dependency Hierarchy:
- ❌ commons-lang-2.6.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.owasp.benchmark.helpers.LDAPServer (Application)
- org.apache.directory.server.ldap.LdapServer (Extension)
- org.apache.directory.server.core.security.CoreKeyStoreSpi (Extension)
- org.apache.commons.lang.ArrayUtils (Extension)
- org.apache.commons.lang.builder.ToStringStyle (Extension)
-> ❌ org.apache.commons.lang.ClassUtils (Vulnerable Component)
Vulnerability Details
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 11, 2025 02:56 PM
URL: CVE-2025-48924
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :