Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-46392

Good to know:

icon

Date: May 9, 2025

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations. Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.

Severity Score

Related Resources (6)

https://www.cve.org/CVERecord?id=CVE-2024-29133
https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s
https://github.com/apache/commons-configuration
https://nvd.nist.gov/vuln/detail/CVE-2025-46392
https://www.cve.org/CVERecord?id=CVE-2024-29131
https://www.mend.io/vulnerability-database/CVE-2025-46392

Severity Score

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Top Fix

icon

Upgrade Version

Upgrade to version commons-configuration:commons-configuration:2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us