Skip to content

[GHSA-j288-q9x7-2f5v] Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs #6407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[GHSA-j288-q9x7-2f5v] Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs #6407

wants to merge 1 commit into from

Conversation

@lukaseder
Copy link

@lukaseder lukaseder commented Nov 10, 2025

Updates

  • Affected products
  • CVSS v3
  • Severity

Comments
I really think this is just a bug, not a "real" security issue. Anything that parses stuff can run into StackOverflowError if input is too big, and the input passed to this particular method is really not user input or any other "risky" input, but from program internals, so it's very unlikely for this error to appear.

I really wish these CVEs were vetted a bit more before they generate tons of alerts everywhere.

Copilot AI review requested due to automatic review settings November 10, 2025 17:11
@lukaseder lukaseder mentioned this pull request Nov 10, 2025
Closed
@github-actions github-actions bot changed the base branch from main to lukaseder/advisory-improvement-6407 November 10, 2025 17:12
Copilot AI reviewed Nov 10, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@helixplant
Copy link

helixplant commented Nov 13, 2025

Thanks for your contribution to the Advisory Database! We are not accepting this contribution as this advisory is about a valid vulnerability, as reaffirmed by the Apache Foundation's assignment and publication of CVE-2025-48924. If you wish to dispute the validity of the CVE, please reach out to the assigning CNA directly. If you wish to dispute the severity, please reach out to the CISA Authorized Data Publisher by filing an issue.

@helixplant helixplant closed this Nov 13, 2025
@github-actions github-actions bot deleted the lukaseder-GHSA-j288-q9x7-2f5v branch November 13, 2025 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lukaseder @helixplant