Skip to content

Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader #653

New issue
New issue
Open
Open
Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader#653
@i5d6

Description

@i5d6
i5d6
opened on May 2, 2025

Upgrade commons-io:commons-io to version 2.14.0 or later. For example:

<dependency>
  <groupId>commons-io</groupId>
  <artifactId>commons-io</artifactId>
  <version>[2.14.0,)</version>
</dependency>

The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.

This issue affects Apache Commons IO: from 2.0 before 2.14.0.

Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions