Skip to main content

CVE-2025-48924

CVE-2025-48924

Issue in Apache Commons Lang

FALSE POSITIVE

Rundeck and Runbook Automation are not vulnerable to this CVE.

CVE-2025-48924 describes an Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects commons-lang:commons-lang versions 2.0 to 2.6, and org.apache.commons:commons-lang3 versions 3.0 before 3.18.0. The vulnerability is present in the ClassUtils.getClass(...) method, which can throw a StackOverflowError on very long inputs. Since errors of this type are typically not handled, this could cause an application to stop unexpectedly. The recommended mitigation is to upgrade to version 3.18.0 or later.

After review, we have confirmed that neither Rundeck nor Runbook Automation use the affected ClassUtils.getClass(...) method, so this vulnerability does not impact our products.