How about using the current io.codearte.gradle.nexus:gradle-nexus-staging-plugin 0.30.0 (from 2021!) instead of a plugin from 2019?
That might help... Gary On Thu, Nov 13, 2025, 10:23 Vladimir Sitnikov <[email protected]> wrote: > Hi, > > CVE-2025-48924 impacts commons-lang:2.6, however the clients have > no option to avoid the CVE in their apps. > > The upgrade from commons-lang 2 to 3 requires client code rewrite, and > asking > clients to rewrite their code to avoid CVE does not seem right. > > For instance, I have the following dependency chain: > > +--- io.codearte.gradle.nexus:gradle-nexus-staging-plugin:0.21.2 > \--- org.codehaus.groovy.modules.http-builder:http-builder:0.7.1 > +--- net.sf.json-lib:json-lib:2.3 > +--- commons-lang:commons-lang:2.4 <- CVE-2025-48924 > \--- net.sf.ezmorph:ezmorph:1.0.6 > \--- commons-lang:commons-lang:2.3 -> 2.4 <- > CVE-2025-48924 > > The software in question is somewhat outdated, and migrating to a > completely different stack would > take enormous time. > > Would you please consider fixing the CVE and releasing it via 2.6.1? > As far as I understand, backporting the fix would be trivial, and it would > really help > for those who still use commons-lang:2.6. > > I could help with backporting the fix, however I would need the help of PMC > to release 2.6.1 > > Vladimir >
