#38 YAJSW v13.x: commons-lang3 & commons-lang vulnerability
JRE8 continues to roll in patches so we haven't been able to move away from it.
Would you please continue to patch 3rd party libs used in yajsw v13.x?
CVE-2025-48924 have been issued for:
1. commons-lang3-3.12.0.jar vulnerability
2. commons-lang-2.6.jar vulnerability
Found with: yajsw v13.15 :
- yajsw\lib\core\commons\commons-lang3-3.12.0.jar
- yajsw\lib\core\commons\commons-lang-2.6.jar
Whitesource (Mend) Scan as of 8/26/2025:
CVE-2025-48924
CVSS 3 Score: 5.3 (Severity: Medium)
"Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue."
release 13.16
Hi rzo -
Thank you for patching for v13.x. I unzipped release v13.16 but these two libs are not patched still:
inflating: yajsw-stable-13.16/lib/core/commons/commons-lang-2.6.jar
inflating: yajsw-stable-13.16/lib/core/commons/commons-lang3-3.12.0.jar
Thank you agian.
thanks for pointing this out.
something went wrong during the packing of the zip file.
release 13.17