Skip to content

GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3 #7976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JinwooHwang wants to merge 1 commit into
base: support/1.15
Choose a base branch
from
Open

GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3 #7976

JinwooHwang wants to merge 1 commit into from
+18 −18

Conversation

@JinwooHwang
Copy link
Contributor

@JinwooHwang JinwooHwang commented Jan 9, 2026
edited
Loading

GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3

Description

This PR addresses the security vulnerability CVE-2025-48924 (Uncontrolled Recursion in Apache Commons Lang3) by upgrading the commons-lang3 dependency from version 3.12.0 to 3.18.0 and replacing deprecated/removed methods with Java standard library equivalents.

Security Context

CVE-2025-48924: Uncontrolled Recursion (CWE-674) in ClassUtils.getClass() method affecting commons-lang3 versions 3.0 through 3.17.x. The vulnerability could lead to stack overflow errors when processing deeply nested class hierarchies.

Severity: Medium
Fixed in: commons-lang3 3.18.0

Changes Made

1. Dependency Upgrade

  • File: build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
  • Change: Updated commons-lang3 version from "3.12.0" to "3.18.0"

2. Code Refactoring (9 files)

Replaced deprecated StringUtils and LineIterator methods with Java standard library equivalents:

StringUtils.startsWith → String.startsWith

  • geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java (line 126)
    • Added null check: if (url != null && url.startsWith("https"))

StringUtils.containsIgnoreCase → String.toLowerCase().contains()

  • geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/QueryCommand.java (lines 87-88)

StringUtils.removeStart → Ternary with startsWith() + substring()

  • geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/CreateIndexCommand.java (line 172)
  • geode-management/src/main/java/org/apache/geode/management/configuration/Index.java (line 91)

StringUtils.equals → Objects.equals

  • geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/FixedPartitionAttributesInfo.java (line 40)
  • geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/RegionAttributesInfo.java (line 367)
  • geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/PartitionAttributesInfo.java (lines 155-157)
  • Added import java.util.Objects where needed

LineIterator.nextLine() → LineIterator.next()

  • geode-assembly/src/acceptanceTest/java/org/apache/geode/management/internal/cli/commands/StartServerCommandAcceptanceTest.java (lines 106, 155)

Mockito Compatibility Fix

  • geode-core/src/test/java/org/apache/geode/internal/cache/ServerConnectionTest.java (line 310)
  • Changed mock(MutableInt.class) to new MutableInt(0) due to bytecode changes in commons-lang3 3.18.0

Testing

Unit Tests

./gradlew test

Build Verification

./gradlew clean build

Breaking Changes

None. All changes maintain backward compatibility and use standard Java APIs.

Notes

  • The upgrade to commons-lang3 3.18.0 introduces bytecode changes that make MutableInt incompatible with Mockito's mock functionality, requiring the use of actual instances in tests.
  • All deprecated StringUtils methods have been replaced with equivalent Java standard library methods, reducing dependency on Apache Commons Lang.

Related Issues

Checklist

  • Security vulnerability addressed
  • Dependency upgraded to patched version
  • Deprecated methods replaced with standard alternatives
  • All quality checks pass
  • Unit tests updated and passing
  • Code formatting compliant
  • No breaking changes introduced

@JinwooHwang
GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3
88cfc57 
- Upgrade commons-lang3 from 3.12.0 to 3.18.0
- Replace StringUtils.startsWith with String.startsWith (with null check)
- Replace StringUtils.containsIgnoreCase with toLowerCase().contains()
- Replace StringUtils.removeStart with ternary operator pattern
- Replace StringUtils.equals with Objects.equals
- Replace LineIterator.nextLine() with LineIterator.next()
- Fix Mockito compatibility with MutableInt in commons-lang3 3.18.0
- All quality checks pass (japicmp, javadoc, spotlessCheck, rat, checkPom, pmdMain)
- ConnectCommandTest: 24 tests now pass (fixed NullPointerException)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sboorlagadda sboorlagadda Awaiting requested review from sboorlagadda

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JinwooHwang