Uncontrolled Resource Consumption Vulnerability in Apache Commons Configuration by Apache
CVE-2025-46392

6.5MEDIUM

Key Information:

Vendor

Apache

Vendor
CVE Published:
9 May 2025

What is CVE-2025-46392?

The Apache Commons Configuration 1.x contains a significant vulnerability that can lead to excessive resource consumption under certain conditions. This issue arises when loading untrusted configurations or employing unexpected usage patterns. As a response, the Apache Commons Configuration team has not issued a fix for the 1.x version. It remains crucial for users to refrain from using untrusted sources and to only load trusted configurations to maintain a secure environment. For enhanced security, users are strongly advised to upgrade to the Apache Commons Configuration 2.x. This newer version addresses these vulnerabilities but requires careful migration as it does not serve as a drop-in replacement and operates under a different Maven groupId and Java package namespace, allowing side-by-side installation.

Affected Version(s)

Apache Commons Configuration 1 < 2.0.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-46392 : Uncontrolled Resource Consumption Vulnerability in Apache Commons Configuration by Apache