Vulnerability via transitive commons-lang:commons-lang (CVE-2025-48924) in spring-content-commons v3.0.17

[vineshraja]

Issue Summary
spring-content-commons v3.0.17 (released Feb 7, 2025) brings in commons-lang:commons-lang 2.x transitively, which is known to have a vulnerability: CVE-2025-48924.

What is the vulnerability?

• CVE-2025-48924: Uncontrolled recursion in ClassUtils.getClass(...) may cause a StackOverflowError on long input, leading to denial-of-service conditions :contentReference[oaicite:8]{index=8}.
• Affected versions: commons-lang 2.0–2.6; commons-lang3 before 3.18.0 :contentReference[oaicite:9]{index=9}.

Impact
Applications depending on this library may inherit the vulnerability indirectly, posing a risk.

Recommendation

• Upgrade to org.apache.commons:commons-lang3:3.18.0.
• If necessary, document and exclude the vulnerable commons-lang:commons-lang from transitive resolution.

References

• Apache/NVD details on CVE-2025-48924 :contentReference[oaicite:10]{index=10}.
• GitHub issue in hapi-fhir showing detection and fix suggestion :contentReference[oaicite:11]{index=11}.
• Snyk data reflecting the same vulnerability :contentReference[oaicite:12]{index=12}.

Environment

• spring-content-commons version: 3.0.17.
• Build tool: [Maven/Gradle], JDK version: [e.g., 17.0.x], OS: [e.g., Windows/Linux].

I can assist by providing a minimal POM or sample project if that helps confirm and resolve the issue.

Thank you!