Hi, Feel free to propose this change in a PR :)
Gruß Richard > Am 12.03.2026 um 10:26 schrieb YUGENDRAN R S <[email protected]>: > > Hello Team, > > As you are aware, Apache Storm currently depends on commons-lang 2.6 and > this version is affected by CVE-2025-48924 > <https://nvd.nist.gov/vuln/detail/CVE-2025-48924> - an Uncontrolled > Recursion vulnerability. The commons-lang 2.x is end-of-life with no active > maintenance. > > As Storm already started using commons-lang 3.x from 2.6.0 > <https://issues.apache.org/jira/browse/STORM-3972>, do we have plans to > migrate commons-lang from 2.x to 3.x? Which means, migrate all the internal > code references from org.apache.commons.lang* to > org.apache.commons.lang3.*, make the API level changes and fully remove the > commons-lang 2.6 dependency from all build files once migration is complete. > > This migration will resolve the known vulnerability, align Storm with an > actively maintained library & reduce exposure to any future vulnerabilities. > > > Thanks > Yugendran
