[
https://issues.apache.org/jira/browse/KAFKA-19538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Luke Chen resolved KAFKA-19538.
-------------------------------
Resolution: Duplicate
Duplicated with KAFKA-19520.
> Kafka uses vulnerable Apache Commons Lang3 version (3.12.0) – Uncontrolled
> Recursion (CVE-2025-48924)
> -----------------------------------------------------------------------------------------------------
>
> Key: KAFKA-19538
> URL: https://issues.apache.org/jira/browse/KAFKA-19538
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 3.9.1, 4.0.0
> Reporter: Mangesh Dushman
> Priority: Blocker
>
> Apache Kafka currently includes the {{org.apache.commons:commons-lang3}}
> library version {*}3.12.0{*}, which is affected by a critical {*}Uncontrolled
> Recursion vulnerability (CVE-2025-48924){*}.
> *Vulnerability Details:*
> * Affected Method: {{ClassUtils.getClass(String)}}
> * Impact: Can throw a {{StackOverflowError}} on very long input values.
> Since {{Error}} types are generally not caught by applications, this can lead
> to unexpected application termination or denial of service.
> * Affected Versions:
> ** {{commons-lang3}} versions *3.0 to < 3.18.0*
> ** {{commons-lang}} versions *2.0 to 2.6*
> *Current Kafka Status:*
> * As of Kafka *4.0.0* and {*}3.9.1{*}, the project uses {*}Apache Commons
> Lang3 version 3.12.0{*}, which falls within the affected version range.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
