openvex.json

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://commons.apache.org/security/vex/urn:uuid:9d64577b-0376-4ee7-b154-5ec26a1803f4",
  "author": "Apache Commons Security Team <security@commons.apache.org>",
  "role": "Security Team",
  "version": 2,
  "tooling": "This document was automatically converted from the `VEX.cyclonedx.xml` file.\nDo not edit this file directly, run `generate_openvex.py` to regenerate it.",
  "timestamp": "2025-07-29T12:26:42Z",
  "statements": [
    {
      "products": [
        {
          "@id": "pkg:maven/org.apache.commons/commons-text?type=jar",
          "identifiers": {
            "purl": "pkg:maven/org.apache.commons/commons-text?type=jar"
          }
        }
      ],
      "vulnerability": {
        "name": "CVE-2025-48924",
        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924",
        "aliases": [
          "GHSA-j288-q9x7-2f5v"
        ]
      },
      "status": "affected",
      "status_notes": "CVE-2025-48924 is exploitable in Apache Commons Text versions 1.5 and later, but only when all the following conditions are met:\n\n* The consuming project includes a vulnerable version of Commons Text on the classpath.\n  As of version `1.14.1`, Commons Text no longer references a vulnerable version of the `commons-lang3` library in its POM file.\n* Unvalidated or unsanitized user input is passed to the `StringSubstitutor` or `StringLookup` classes.\n* An interpolator lookup created via `StringLookupFactory.interpolatorLookup()` is used.\n\nIf these conditions are satisfied, an attacker may cause an infinite loop by submitting a specially crafted input such as `${const:...}`.",
      "action_statement": "Check if untrusted user input is passed to the `StringSubstitutor` or `StringLookup` classes,\nand if so, upgrade to Apache Commons Lang 3.18.0 or later.",
      "timestamp": "2025-07-29T12:26:42Z",
      "last_updated": "2025-07-29T12:26:42Z"
    }
  ]
}