[jira] [Created] (LANG-1826) Issue: Unchecked integer overflow in public Commons Lang size APIs can trigger denial of service

Mon, 11 May 2026 07:07:08 -0700 

Cyl created LANG-1826:
-------------------------

             Summary: Issue: Unchecked integer overflow in public Commons Lang 
size APIs can trigger denial of service
                 Key: LANG-1826
                 URL: https://issues.apache.org/jira/browse/LANG-1826
             Project: Commons Lang
          Issue Type: Bug
          Components: lang.text.*
            Reporter: Cyl


h1. Issue: Unchecked integer overflow in public Commons Lang size APIs can 
trigger denial of service

h2. Basic Information

* *Project*: LANG
* *Type*: Issue
* *Severity*: Medium
* *Affected Versions*: <= 3.20.0
* *Fixed Version*: N/A

h2. Description

This issue affects public methods in Apache Commons Lang that derive allocation 
lengths directly from caller-controlled integers. A large positive {{count}} or 
{{capacity}} can wrap to a negative size and trigger 
{{NegativeArraySizeException}}, allowing downstream applications that pass 
attacker-controlled values into these APIs to fail requests or jobs with a 
low-effort denial of service.

The affected methods are:

* {{StringUtils.repeat(String, int)}}
* {{StringUtils.repeat(String, String, int)}}
* {{StrBuilder.ensureCapacity(int)}}

These paths use unchecked {{int}} arithmetic before allocating arrays or 
builders.

h2. Impact

This is a denial of service issue in a widely used library dependency. Any 
application that passes untrusted size or count values into these APIs can be 
forced into runtime failure. In practice this can break request handlers, batch 
jobs, template generation, export tasks, or message-processing flows that rely 
on Commons Lang string repetition or buffer preallocation with 
attacker-controlled inputs.

h2. Affected products

* *Ecosystem*: maven
* *Package name*: org.apache.commons:commons-lang3
* *Affected versions*: <= 3.20.0

h2. Severity

* *Severity*: Medium
* *Vector string*: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

h2. Weaknesses

* *CWE*: CWE-190: Integer Overflow or Wraparound

h2. Occurrences

* {{StringUtils.repeat(String, int)}} multiplies {{inputLength * count}} with 
unchecked {{int}} arithmetic and then uses the result for {{char[]}} or 
{{StringBuilder}} allocation.
* {{StringUtils.repeat(String, String, int)}} preserves the same flaw by 
concatenating {{repeat + separator}} and delegating to the vulnerable 
{{repeat(String, int)}} path.
* {{StrBuilder.ensureCapacity(int)}} allocates {{new char[capacity * 2]}} with 
unchecked multiplication, allowing a wrapped negative size to reach allocation.

h2. Reproduction summary

Supplying {{1_073_741_824}} to these APIs causes {{* 2}} to wrap to 
{{-2147483648}}, which then reaches allocation and raises 
{{NegativeArraySizeException}}. This is reachable without source modification, 
reflection, or internal access.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to