ppkarwasz opened a new pull request, #152: URL: https://github.com/apache/solr-site/pull/152
This update documents that CVE-2025-48924 is **not exploitable** in Apache Solr, based on detailed dependency analysis and code path evaluation. ### Summary Although Solr includes the vulnerable **Commons Lang** library and transitive dependencies such as **Commons Text** and **Commons Configuration**, the conditions required for exploitation are **not met** in any Solr execution paths. ### Detailed Analysis * The vulnerable Commons Lang functionality is only exercised via **Commons Text**. * According to the [Apache Commons Text VEX document](https://raw.githubusercontent.com/apache/commons-text/refs/heads/master/src/conf/security/VEX.cyclonedx.xml), exploitation is limited to the use of **`StringSubstitutor`** and **`StringLookup`**. * These classes are **not used directly** in Solr’s codebase. * Commons Text is only included in two Solr modules: * `solr-sql` * `solr-hadoop-auth` * Neither module makes any **indirect** use of the vulnerable classes, with one exception. * The only dependency that uses these classes is **Commons Configuration**, which is pulled in transitively via **Hadoop**. * Specifically, it is used by the `MetricsConfig` class in the `hadoop-common` library. * This code path parses only the `hadoop-metrics2.properties` file, which is considered a **trusted configuration file**, typically provided by the system administrator. As a result, the vulnerable expression interpolation logic is **never invoked with untrusted input**, and Solr **does not meet the conditions for exploitability** outlined in the [Apache Commons Configuration VEX document](https://raw.githubusercontent.com/apache/commons-configuration/refs/heads/master/src/conf/security/VEX.cyclonedx.xml). ### References * [Apache Commons Text VEX document](https://raw.githubusercontent.com/apache/commons-text/refs/heads/master/src/conf/security/VEX.cyclonedx.xml) * [Apache Commons Configuration VEX document](https://raw.githubusercontent.com/apache/commons-configuration/refs/heads/master/src/conf/security/VEX.cyclonedx.xml) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
