Mangesh Dushman created KAFKA-19538:
---------------------------------------
Summary: Kafka uses vulnerable Apache Commons Lang3 version
(3.12.0) – Uncontrolled Recursion (CVE-2025-48924)
Key: KAFKA-19538
URL: https://issues.apache.org/jira/browse/KAFKA-19538
Project: Kafka
Issue Type: Bug
Affects Versions: 4.0.0, 3.9.1
Reporter: Mangesh Dushman
Apache Kafka currently includes the {{org.apache.commons:commons-lang3}}
library version {*}3.12.0{*}, which is affected by a critical {*}Uncontrolled
Recursion vulnerability (CVE-2025-48924){*}.
*Vulnerability Details:*
* Affected Method: {{ClassUtils.getClass(String)}}
* Impact: Can throw a {{StackOverflowError}} on very long input values. Since
{{Error}} types are generally not caught by applications, this can lead to
unexpected application termination or denial of service.
* Affected Versions:
** {{commons-lang3}} versions *3.0 to < 3.18.0*
** {{commons-lang}} versions *2.0 to 2.6*
*Current Kafka Status:*
* As of Kafka *4.0.0* and {*}3.9.1{*}, the project uses {*}Apache Commons
Lang3 version 3.12.0{*}, which falls within the affected version range.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
