CVE-2025-48924

WSO2 Products impacted: no

Customer actions required: no

REPORTED VULNERABILITY

Apache Commons Lang 2.6 contains an uncontrolled recursion flaw in the method org.apache.commons.lang.ClassUtils.getClass(String).
When processing deeply nested or excessively long class name expressions, the method recursively parses the input without enforcing a depth limit1. An attacker who can influence class-name values in configuration may cause a StackOverflowError, resulting in a denial-of-service (DoS) condition.

REPORTED PRODUCTS

  • WSO2 API Manager: 3.2.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0

WSO2 JUSTIFICATION

The reported vulnerability relates to the ClassUtils.getClass method in Commons Lang 2.6, which can cause uncontrolled recursion and potential stack exhaustion if it is invoked with deeply nested or attacker-controlled class name inputs. While this method exists in the bundled library, WSO2 API Manager does not directly invoke it during normal product operation. The only transitive references originate from Apache Commons Configuration (BeanHelper), which operates exclusively on trusted configuration values stored in server-side configuration locations. These locations are writable only by authorized administrators, meaning untrusted external users cannot supply or modify the class name inputs required to trigger the vulnerable code path. Therefore, the method is present but not reachable in a way that introduces a remote attack surface, and the vulnerability does not pose a meaningful risk within WSO2 products when deployed following standard security hardening guidelines.

Migrating to Commons Lang 3.x is not API-compatible and would require extensive refactoring across core components and bundled third-party modules, leading to potential compatibility and stability impacts for existing customer environments. Given that the vulnerable code path is not reachable from untrusted inputs and the exploitability is practically infeasible under standard deployment hardening, environments that follow WSO2’s recommended operational and security practices remain protected from exploitation.

REFERENCES

  1. https://nvd.nist.gov/vuln/detail/CVE-2025-48924