CVE-2025-46392

There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations.

Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.

Database specific

{
    "cwe_ids": [
        "CWE-400"
    ],
    "cna_assigner": "apache",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46392.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "1"
                },
                {
                    "fixed": "2.0.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}

References

Affected packages

Git / github.com/apache/commons-configuration

Affected ranges

Type

GIT

Repo

https://github.com/apache/commons-configuration

Events

Introduced

6c460662af216ac3777b03b9d641451486bc238d

Fixed

25c16206e0452a3b68abf4158c4d8f2ea38305da

Database specific

{
    "extracted_events": [
        {
            "introduced": "1.0"
        },
        {
            "fixed": "2.0"
        }
    ],
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:*"
}

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-46392.json"