Security Advisory 2022-072

Release Date:

Apache Commons Text Vulnerability



  • 19/10/2022 --- v1.0 -- Initial publication


A vulnerability, tracked as CVE-2022-42889 with a CVSS score of 9.8 was found in Apache Commons Text packages in versions 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers [1].

Technical Details

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is ${prefix:name} , where prefix is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - script - execute expressions using the JVM script execution engine (javax.script) - dns - resolve dns records - url - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used [2, 3].

Affected Products

  • Apache Commons Text version 1.5 to 1.9


CERT-EU recommends upgrading to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. If the setting has to be ON, text input should be accepted from trusted sources only. The flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly [4].






We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.