Critical remote code execution flaw reported in Apache Commons Text library
Take action: If you use Apache Commons Text in your Java applications, check your version immediately and upgrade to at least version 1.10.0 (or preferably 1.15.0). Thi flaw allows remote code execution, so treat this update as very important. Exploits will start soon.
Learn More
A critical vulnerability is reported in Apache Commons Text, that allows attackers to inject and execute malicious code remotely when applications pass untrusted input to the text-substitution API.
Apache Commons Text is a library for processing character strings in Java applications
The vulnerability is tracked as CVE-2025-46295 (CVSS score 9.8) and is caused by interpolation features included in older versions of the library that could trigger dangerous actions such as executing system commands or accessing external resources. The issue is similar to the Log4j disaster from 2021. The flaw was detected when anonymous IT researcher identified the problem in Claris FileMaker Server.
The security flaw affects all versions of Apache Commons Text prior to 1.10.0. Versions that are not affected include Apache Commons Text 1.10.0 and all later releases. Even if the vulnerability was actually patched back in late 2022 with version 1.10.0, the component has apparently not been updated in a lot of software projects.
Organizations using the Apache Commons Text library should verify they are running at least version 1.10.0. Upgrading to the current version 1.15.0 is strongly recommended. The Apache project provides both binary files and source code for download on their official website.
