Uncontrolled Resource Consumption Vulnerability in Apache Commons Configuration by Apache
CVE-2025-46392

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Commons Configuration
Vendor: CVE Published:; 9 May 2025

What is CVE-2025-46392?

The Apache Commons Configuration 1.x contains a significant vulnerability that can lead to excessive resource consumption under certain conditions. This issue arises when loading untrusted configurations or employing unexpected usage patterns. As a response, the Apache Commons Configuration team has not issued a fix for the 1.x version. It remains crucial for users to refrain from using untrusted sources and to only load trusted configurations to maintain a secure environment. For enhanced security, users are strongly advised to upgrade to the Apache Commons Configuration 2.x. This newer version addresses these vulnerabilities but requires careful migration as it does not serve as a drop-in replacement and operates under a different Maven groupId and Java package namespace, allowing side-by-side installation.

Affected Version(s)

Apache Commons Configuration 1 < 2.0.0

References

https://www.cve.org/CVERecord?id=CVE-2024-29131

https://www.cve.org/CVERecord?id=CVE-2024-29133

https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdx...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2025
Vulnerability Reserved
Apr 23, 2025