Hello Team, As you are aware, Apache Storm currently depends on commons-lang 2.6 and this version is affected by CVE-2025-48924 <https://nvd.nist.gov/vuln/detail/CVE-2025-48924> - an Uncontrolled Recursion vulnerability. The commons-lang 2.x is end-of-life with no active maintenance.
As Storm already started using commons-lang 3.x from 2.6.0 <https://issues.apache.org/jira/browse/STORM-3972>, do we have plans to migrate commons-lang from 2.x to 3.x? Which means, migrate all the internal code references from org.apache.commons.lang* to org.apache.commons.lang3.*, make the API level changes and fully remove the commons-lang 2.6 dependency from all build files once migration is complete. This migration will resolve the known vulnerability, align Storm with an actively maintained library & reduce exposure to any future vulnerabilities. Thanks Yugendran
