CVE-2025-46392: Apache Commons Configuration: Uncontrolled Resource Consumption when loading untrusted configurations in 1.x

Q: What is the severity of CVE-2025-46392?

CVE-2025-46392 is categorized as a moderate severity vulnerability due to its potential for excessive resource consumption.

Q: How do I fix CVE-2025-46392?

To fix CVE-2025-46392, update Apache Commons Configuration to the latest version that has addressed this vulnerability.

Q: What platforms are affected by CVE-2025-46392?

CVE-2025-46392 affects all versions of Apache Commons Configuration starting from 1.0.

Q: What causes CVE-2025-46392?

CVE-2025-46392 is caused by uncontrolled resource consumption when loading untrusted configurations or through unexpected usage patterns in Apache Commons Configuration.

Q: Is there a workaround for CVE-2025-46392?

A potential workaround for CVE-2025-46392 is to avoid using untrusted configuration sources until the software is upgraded.

Published May 9, 2025

Updated

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x.

There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations.

Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.

Other sources

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x.

— GitHub

Affected Software

4 affected components

Apache Commons Configuration>=1.0

maven/commons-configuration:commons-configuration<=1.10

Apache Commons Configuration>=1.0<2.0

IBM Knowledge Catalog Standard Cartridge<=5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1, 5.1.1, 5,1.2, 5.1.3, 5.2.0, 5.2.1

Event History

May 9, 2025

CVE Published

via MITRE·09:34 AM

Data Sourced

via MITRE·09:34 AM

DescriptionWeakness

Data Sourced

via NVD·10:15 AM

DescriptionSeverityWeakness

Data Sourced

via NVD·10:15 AM

Affected Software

Advisory Published

via GitHub·12:31 PM

Mar 25, 2026

Data Sourced

via IBM·12:00 AM

DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

IBM-7267542

Frequently Asked Questions

What is the severity of CVE-2025-46392?

CVE-2025-46392 is categorized as a moderate severity vulnerability due to its potential for excessive resource consumption.

How do I fix CVE-2025-46392?

To fix CVE-2025-46392, update Apache Commons Configuration to the latest version that has addressed this vulnerability.

What platforms are affected by CVE-2025-46392?

CVE-2025-46392 affects all versions of Apache Commons Configuration starting from 1.0.

What causes CVE-2025-46392?

CVE-2025-46392 is caused by uncontrolled resource consumption when loading untrusted configurations or through unexpected usage patterns in Apache Commons Configuration.

Is there a workaround for CVE-2025-46392?

A potential workaround for CVE-2025-46392 is to avoid using untrusted configuration sources until the software is upgraded.

CVE-2025-46392: Apache Commons Configuration: Uncontrolled Resource Consumption when loading untrusted configurations in 1.x

Other sources

Affected Software

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2025-46392?

How do I fix CVE-2025-46392?

What platforms are affected by CVE-2025-46392?

What causes CVE-2025-46392?

Is there a workaround for CVE-2025-46392?

Company

Resources

Contact