Skip to main content

Apache Commons Configuration EUVDEUVD-2026-30267

| CVE-2026-45205 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-14 apache GHSA-337m-mw94-2v6g
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

5
Source Code Evidence Fetched
May 14, 2026 - 16:23 vuln.today
Analysis Generated
May 14, 2026 - 16:23 vuln.today
CVSS changed
May 14, 2026 - 16:22 NVD
5.3 (MEDIUM)
CVE Published
May 14, 2026 - 11:22 nvd
MEDIUM 5.3
CVE Published
May 14, 2026 - 11:22 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 586 maven packages depend on org.apache.commons:commons-configuration2 (385 direct, 202 indirect)

Ecosystem-wide dependent count for version 2.2.

DescriptionCVE.org

Uncontrolled Recursion vulnerability in Apache Commons.

When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0.

Users are recommended to upgrade to version 2.15.0, which fixes the issue.

AnalysisAI

Uncontrolled recursion in Apache Commons Configuration 2.2 through 2.14.x allows remote attackers to trigger a denial of service via StackOverflowError when processing YAML configuration files containing cyclic object references. The vulnerability affects any application using the library to parse untrusted YAML input without validation, with CVSS 5.3 (network-accessible, no authentication required) but exceptionally low exploitation probability (EPSS 0.02%, percentile 5%), indicating this is primarily a defensive hardening fix rather than an actively exploited threat.

Technical ContextAI

Apache Commons Configuration is a Java library for reading configuration files in multiple formats including YAML, XML, and properties. The vulnerability resides in the AbstractYAMLBasedConfiguration.constructHierarchy() method, which recursively processes nested YAML structures (maps and collections) without cycle detection. When a YAML parser (via SnakeYAML) constructs a cyclic object graph-where a container references itself directly or indirectly through nested structures-the recursive hierarchy construction enters infinite recursion, exhausting the JVM stack. The root cause is CWE-674 (Uncontrolled Recursion), not a buffer overflow despite the misleading tag. The fix introduces a visited set using System.identityHashCode() to track already-processed object instances and short-circuit recursion when a cycle is detected.

RemediationAI

Upgrade Apache Commons Configuration to version 2.15.0 or later, which includes the cycle detection fix. The patch adds a visited set to track processed objects and returns an empty node list when a cycle is detected, preventing StackOverflowError. For applications unable to upgrade immediately, implement validation on untrusted YAML configuration files using a YAML parser with depth limits or use a custom LoaderOptions with restrictive settings in SnakeYAML (e.g., setMaxAliasesForCollections() to limit circular references), though this requires code changes and may reject legitimate deeply-nested configs. If YAML configuration is sourced from untrusted users, prefer external file upload restrictions or sandboxed parsing with resource limits (e.g., fork YAML parsing in a thread with a stack-size limit via ThreadGroup). See Apache advisory at https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk and patch source at https://github.com/apache/commons-configuration/pull/634.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-30267 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy