Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x.
There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations.
Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.
CVSS
No CVSS.
References
| Link | Resource |
|---|---|
| https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s | Mailing List Vendor Advisory |
| https://www.cve.org/CVERecord?id=CVE-2024-29131 | Not Applicable |
| https://www.cve.org/CVERecord?id=CVE-2024-29133 | Not Applicable |
Configurations
History
16 Jul 2025, 14:52
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s - Mailing List, Vendor Advisory | |
| References | () https://www.cve.org/CVERecord?id=CVE-2024-29133 - Not Applicable | |
| References | () https://www.cve.org/CVERecord?id=CVE-2024-29131 - Not Applicable | |
| First Time |
Apache
Apache commons Configuration |
|
| CPE | cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:* |
13 May 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE |
09 May 2025, 10:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-05-09 10:15
Updated : 2025-07-16 14:52
NVD link : CVE-2025-46392
Mitre link : CVE-2025-46392
JSON object : View
Products Affected
apache
- commons_configuration
CWE
No CWE.