GitHub
github.com › zeroturnaround › zt-exec › issues › 52
commons-lang 2.6 has vulnerabilities reported by Whitesource · Issue #52 · zeroturnaround/zt-exec
June 2, 2017 - It would be excellent if you could move to using commons-lang3 instead of commons-lang. Today WhiteSource static scanner started reporting two items in commons-lang 2.6 as blocker bugs. https://issues.apache.org/jira/browse/LANG-1049 htt...
Author wattdave
GitHub
github.com › hapifhir › hapi-fhir › issues › 7121
CVE-2025-48924 (Medium) detected in commons-lang-2.6.jar, commons-lang3-3.2.jar · Issue #7121 · hapifhir/hapi-fhir
July 13, 2025 - CVE-2025-48924 - Medium Severity Vulnerability Vulnerable Libraries - commons-lang-2.6.jar, commons-lang3-3.2.jar commons-lang-2.6.jar Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or ...
Author mend-bolt-for-github
GitHub
github.com › sassoftware › commons-lang
GitHub - sassoftware/commons-lang: Apache Commons Lang
November 10, 2025 - Last Updated: November 10, 2025 Fix Version: commons-lang 2.6-CVE-2025-48924 Status: ✅ Fully Tested and Validated
Author sassoftware
CVE Details
cvedetails.com › version › 637790 › Apache-Commons-Io-2.6.html
Apache Commons Io 2.6 security vulnerabilities, CVEs
Vulnerability statistics provide a quick overview for security vulnerabilities of Apache » Commons Io » version 2.6 .
Miggo
miggo.io › vulnerability-database › cve › CVE-2025-48924
CVE-2025-48924: Commons Lang ClassUtils DoS
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
GitHub
github.com › advisories › GHSA-j288-q9x7-2f5v
Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs · CVE-2025-48924 · GitHub Advisory Database · GitHub
July 11, 2025 - Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
IBM
ibm.com › support › pages › security-bulletin-security-vulnerability-apache-commons-lang-may-affect-ibm-business-automation-workflow-cve-2025-48924
Security Bulletin: Security vulnerability in Apache Commons Lang may affect IBM Business Automation Workflow - CVE-2025-48924
February 2, 2026 - CVEID: CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can ...
Snyk
security.snyk.io › snyk vulnerability database › linux › centos
apache-commons-lang vulnerabilities | Snyk
Known vulnerabilities in the apache-commons-lang package.
IBM
ibm.com › support › pages › security-bulletin-vulnerability-apache-commons-lang-may-affect-ibm-decision-optimization-ibm-cloud-pak-data-cve-2025-48924
Security Bulletin: A vulnerability in Apache Commons Lang may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-48924)
September 26, 2025 - CVEID: CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can ...
Apache JIRA
issues.apache.org › jira › browse › CASSANDRA-20849
[CASSANDRA-20849] commons-lang vulnerability: CVE-2025-48924 - ASF Jira
August 25, 2025 - Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
IBM
ibm.com › support › pages › security-bulletin-vulnerability-apache-commons-lang-cve-2025-48924-affects-ibm-powervm-novalink
Security Bulletin: Vulnerability in Apache Commons Lang (CVE-2025-48924) affects IBM PowerVM Novalink.
October 21, 2025 - CVEID: CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can ...
Snyk
security.snyk.io › snyk vulnerability database › maven › commons-io:commons-io
commons-io:commons-io 2.6 vulnerabilities | Snyk
Learn more about known commons-io:commons-io 2.6 vulnerabilities and licenses detected.
IBM
ibm.com › support › pages › security-bulletin-ibm-spss-analytic-server-affected-vulnerability-apache-commons-lang-cve-2025-48924
Security Bulletin: IBM SPSS Analytic Server is affected by a vulnerability in Apache Commons Lang (CVE-2025-48924).
CVEID: CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can ...
Apache JIRA
issues.apache.org › jira › browse › HDDS-13529
[HDDS-13529] Upgrade Apache Commons Lang to 3.18.0 due to CVE-2025-48924 - ASF Jira
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long ...
Cybersecurity Help
cybersecurity-help.cz › vdb › apache_foundation › lang › 2.6
Known Vulnerabilities in Apache Commons Lang 2.6
Multiple vulnerabilities in Oracle Communications Offline Mediation Controller22 Oct, 2025 Medium Patched · Uncontrolled Recursion in Apache Commons Lang04 Aug, 2025 Medium Patched
GitHub
github.com › keycloak › keycloak › issues › 41184
CVE-2025-48924 - Uncontrolled Recursion vulnerability in Apache Commons Lang · Issue #41184 · keycloak/keycloak
April 20, 2025 - Package: org.apache.commons:commons-lang3 Installed Version: 3.17.0 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: 3.18.0 Link: CVE-2025-48924 · This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
Author rmartinc
IBM
ibm.com › support › pages › security-bulletin-ibm-maximo-application-suite-ai-service-component-uses-apache-commons-lang-which-vulnerable-cve-2025-48924
Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses Apache Commons Lang which is vulnerable to CVE-2025-48924
September 23, 2025 - CVEID: CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can ...
Apache Commons
commons.apache.org › proper › commons-lang › upgradeto2_6.html
2.6 Release Notes – Apache Commons Lang
November 12, 2025 - Apache Commons, Apache Commons Lang, Apache, the Apache logo, and the Apache Commons project logos are trademarks of The Apache Software Foundation.
Snyk
security.snyk.io › snyk vulnerability database › maven
commons-lang:commons-lang vulnerabilities | Snyk
Published: 20 years ago Last updated: 15 years ago Latest version: 2.6 Latest non-vulnerable version: 1.0.1 ... Known vulnerabilities in the commons-lang:commons-lang package.
Top answer 1 of 3
1
The base package of Apache Commons Lang 3 is not org.apache.commons.lang anymore.
Provided that the error occurs in your own code, you have to replace it with the org.apache.commons.lang3 package .
If it occurs in external libraries, either upgrade them to a version that uses Lang 3 (if it is possible), or you may have to also keep your older commons lang among the dependencies (as explained in the answer by Karol, the distinct packages will prevent possible conflicts anyway).
e.g :
org.apache.commons.lang.StringUtils in Lang 2.6
vs
org.apache.commons.lang3.StringUtils in Lang 3
2 of 3
1
commons-lang3 is using org.apache.commons.lang3 base package to avoid conflicts with previous versions of commons-lang. This allows both 2.X and 3.X to be used at the same time.
To update to 3.X uou have to change the import in your code e.g. use
import org.apache.commons.lang3.StringUtils;