Skip to content

Upgrade Apache Commons BeanUtils to get rid of commons-collections 3.x #899

New issue
New issue
Open
Open
Upgrade Apache Commons BeanUtils to get rid of commons-collections 3.x#899
@jn-pt

Description

@jn-pt
jn-pt
opened on Oct 15, 2025

Hi,

The ESAPI library still depends on Commons Collections 3.x, which contains a known vulnerability.
Apache Commons Collections is a transitive dependency of Apache Commons BeanUtils.
BeanUtils itself has been updated to use Commons Collections 4.x starting with BeanUtils version 2.

Is there any plan to update the BeanUtils version used in ESAPI?

Vulnerability reported by Sonatype:

https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/

Explanation: The Apache commons-collections packages are vulnerable to a Denial of Service (DoS) attack. The add() method of the SetUniqueList class mishandles the order of operations when invoking its parent List implementation. Consequently, adding an instance of itself results in infinite recursion and deviates from the behavior defined by the standard JRE List contract. A remote attacker who can cause an application to add SetUniqueList instances to themselves can exploit this vulnerability to crash the affected application with a StackOverflowError exception.
Detection: The application is vulnerable by using this component.
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note for commons-collections:commons-collections users: The component and its vulnerable classes were relocated (moved) to org.apache.commons:commons-collections4 in later versions. As such, users should upgrade to a fixed version of commons-collections4 instead.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Full Sonatype Scan Report
Issue sonatype-2024-3350
Source Sonatype Data Research
SONATYPE Policy Name Security-High
SONATYPE Threat Level 7
CVE CWE 674
CWE URL https://cwe.mitre.org/data/definitions/674.html
CVE CVSS 3.0 Not Set
CVE CVSS 2.0 Not Set
SONATYPE CVSS 3.0 Not Set
Remediation No recommended versions are available for the current component.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions