Hi,
CVE-2025-48924 impacts commons-lang:2.6, however the clients have
no option to avoid the CVE in their apps.
The upgrade from commons-lang 2 to 3 requires client code rewrite, and
asking
clients to rewrite their code to avoid CVE does not seem right.
For instance, I have the following dependency chain:
+--- io.codearte.gradle.nexus:gradle-nexus-staging-plugin:0.21.2
\--- org.codehaus.groovy.modules.http-builder:http-builder:0.7.1
+--- net.sf.json-lib:json-lib:2.3
+--- commons-lang:commons-lang:2.4 <- CVE-2025-48924
\--- net.sf.ezmorph:ezmorph:1.0.6
\--- commons-lang:commons-lang:2.3 -> 2.4 <-
CVE-2025-48924
The software in question is somewhat outdated, and migrating to a
completely different stack would
take enormous time.
Would you please consider fixing the CVE and releasing it via 2.6.1?
As far as I understand, backporting the fix would be trivial, and it would
really help
for those who still use commons-lang:2.6.
I could help with backporting the fix, however I would need the help of PMC
to release 2.6.1
Vladimir
