Isha Kunwar created SOLR-17822:
----------------------------------
Summary: Upgrade `commons-lang3` to 3.18.0
Key: SOLR-17822
URL: https://issues.apache.org/jira/browse/SOLR-17822
Project: Solr
Issue Type: Task
Security Level: Public (Default Security Level. Issues are Public)
Components: Build, security
Affects Versions: 9.8.1, 9.7, 9.5
Environment: Detected via internal security scan across deployed Solr
versions: *9.5, 9.7, and 9.8.*
Reporter: Isha Kunwar
Attachments: Screenshot 2025-07-22 101544.png
While reviewing our deployments, we noticed that Apache Solr ships with
`{*}commons-lang3{*}` version 3.14.0, which is affected by *CVE-2025-48924*
({color:#FF0000}High severity{color}).
Details:
- {*}**CVE**{*}:
{*}{*}[{*}CVE-2025-48924{*}|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
- **{*}Affected Library{*}**: *org.apache.commons:commons-lang3*
- **{*}Detected Version{*}**: 3.14.0
- **{*}Fixed Version{*}**: 3.18.0
- **{*}Path{*}**:
/opt/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-lang3-3.14.0.jar
- **{*}Detected On{*}**: 9.5, 9.7, 9.8
- **{*}Detection Time{*}**: 2025-07-11
- **{*}Issue{*}**: Uncontrolled recursion in `{*}ClassUtils.getClass(...){*}`
may throw a
[`StackOverflowError`|https://nvd.nist.gov/vuln/detail/CVE-2025-48924] on very
long inputs.
- **{*}Impact{*}**: Since `Error`s are typically not caught by applications or
libraries, this could result in application crashes.
**{*}Request{*}**:
Please let me know if this issue is known or already being tracked, and whether
an upgrade or patch is planned in upcoming Solr releases.
Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
