Duty Analyst: Joseph McCarthy
← Back to CVE list

CVE-2026-45205

Published: 2026-05-14 12:16:36 | Last modified: 2026-05-14 21:16:48

MEDIUM CVSS 5.3
No EPSS data

Description

Uncontrolled Recursion vulnerability in Apache Commons.

When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.
This issue affects Apache Commons: from 2.2 before 2.15.0.

Users are recommended to upgrade to version 2.15.0, which fixes the issue.

CVSS details

Severity
medium
Score
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

This CVE is not currently listed in the EPSS dataset.

Show JSON 
{
    "cve": {
        "id": "CVE-2026-45205",
        "cveTags": [],
        "metrics": {
            "cvssMetricV31": [
                {
                    "type": "Secondary",
                    "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "cvssData": {
                        "scope": "UNCHANGED",
                        "version": "3.1",
                        "baseScore": 5.3,
                        "attackVector": "NETWORK",
                        "baseSeverity": "MEDIUM",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                        "integrityImpact": "NONE",
                        "userInteraction": "NONE",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "LOW",
                        "privilegesRequired": "NONE",
                        "confidentialityImpact": "NONE"
                    },
                    "impactScore": 1.4,
                    "exploitabilityScore": 3.9
                }
            ]
        },
        "published": "2026-05-14T12:16:35.687",
        "references": [
            {
                "url": "https://github.com/apache/commons-configuration/pull/634",
                "source": "security@apache.org"
            },
            {
                "url": "https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk",
                "source": "security@apache.org"
            },
            {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/14/5",
                "source": "af854a3a-2127-422b-91ae-364da2661108"
            }
        ],
        "vulnStatus": "Undergoing Analysis",
        "weaknesses": [
            {
                "type": "Secondary",
                "source": "security@apache.org",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-674"
                    }
                ]
            }
        ],
        "descriptions": [
            {
                "lang": "en",
                "value": "Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue."
            }
        ],
        "lastModified": "2026-05-14T21:16:48.047",
        "sourceIdentifier": "security@apache.org"
    }
}