Please open an issue for it in Github. If you are unable to open a PR, we can try to pick it up.
On Thu, 12 Mar 2026 at 15:55, Richard Zowalla <[email protected]> wrote: > > Hi, > > Feel free to propose this change in a PR :) > > Gruß > Richard > > > Am 12.03.2026 um 10:26 schrieb YUGENDRAN R S <[email protected]>: > > > > Hello Team, > > > > As you are aware, Apache Storm currently depends on commons-lang 2.6 and > > this version is affected by CVE-2025-48924 > > <https://nvd.nist.gov/vuln/detail/CVE-2025-48924> - an Uncontrolled > > Recursion vulnerability. The commons-lang 2.x is end-of-life with no active > > maintenance. > > > > As Storm already started using commons-lang 3.x from 2.6.0 > > <https://issues.apache.org/jira/browse/STORM-3972>, do we have plans to > > migrate commons-lang from 2.x to 3.x? Which means, migrate all the internal > > code references from org.apache.commons.lang* to > > org.apache.commons.lang3.*, make the API level changes and fully remove the > > commons-lang 2.6 dependency from all build files once migration is complete. > > > > This migration will resolve the known vulnerability, align Storm with an > > actively maintained library & reduce exposure to any future vulnerabilities. > > > > > > Thanks > > Yugendran
