Resource Exhaustion Affecting commons-configuration package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN13-COMMONSCONFIGURATION-10116733
- published12 May 2025
- disclosed9 May 2025
Introduced: 9 May 2025
CVE-2025-46392 (opens in a new tab)How to fix?
There is no fixed version for Debian:13 commons-configuration.
NVD Description
Note: Versions mentioned in the description apply only to the upstream commons-configuration package and not the commons-configuration package as distributed by Debian.
See How to fix? for Debian:13 relevant fixed versions and status.
Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x.
There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations.
Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.