Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1a0258a0-fd45-f0ce-3082-bb336058df53@apache.org>
Date: Thu, 14 May 2026 11:01:03 +0000
From: "Gary D. Gregory" <ggregory@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-45205: Apache Commons Configuration: StackOverflowError
 for YAML input with cycles 

Severity: low 

Affected versions:

- Apache Commons Configuration (org.apache.commons:commons-configuration2) 2.2 before 2.15.0

Description:

Uncontrolled Recursion vulnerability in Apache Commons.

When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.
This issue affects Apache Commons: from 2.2 before 2.15.0.

Users are recommended to upgrade to version 2.15.0, which fixes the issue.

Credit:

Erichen, Institute of Computing Technology, Chinese Academy of Sciences (reporter)

References:

https://github.com/apache/commons-configuration/pull/634
https://commons.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-45205

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.