CVE-2026-45205
MEDIUM
CVSS 5.3
No EPSS data
Description
Uncontrolled Recursion vulnerability in Apache Commons.
When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.
This issue affects Apache Commons: from 2.2 before 2.15.0.
Users are recommended to upgrade to version 2.15.0, which fixes the issue.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-45205",
"cveTags": [],
"metrics": {
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-45205",
"role": "CISA Coordinator",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"version": "2.0.3",
"timestamp": "2026-05-14T15:27:15.775461Z"
}
}
],
"cvssMetricV31": [
{
"type": "Secondary",
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 5.3,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"integrityImpact": "NONE",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "LOW",
"privilegesRequired": "NONE",
"confidentialityImpact": "NONE"
},
"impactScore": 1.4,
"exploitabilityScore": 3.9
}
]
},
"affected": [
{
"source": "security@apache.org",
"affectedData": [
{
"vendor": "Apache Software Foundation",
"product": "Apache Commons Configuration",
"versions": [
{
"status": "affected",
"version": "2.2",
"lessThan": "2.15.0",
"versionType": "semver"
}
],
"packageName": "org.apache.commons:commons-configuration2",
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected"
}
]
}
],
"published": "2026-05-14T12:16:35.687",
"references": [
{
"url": "https://github.com/apache/commons-configuration/pull/634",
"tags": [
"Issue Tracking",
"Patch"
],
"source": "security@apache.org"
},
{
"url": "https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"source": "security@apache.org"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/5",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"source": "af854a3a-2127-422b-91ae-364da2661108"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "security@apache.org",
"description": [
{
"lang": "en",
"value": "CWE-674"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue."
}
],
"lastModified": "2026-06-17T10:51:46.187",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A0F44897-8ACE-43B1-BC15-D18A745B7A82",
"versionEndExcluding": "2.15.0",
"versionStartIncluding": "2.2"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security@apache.org"
}
}