maven icon indicating copy to clipboard operation
maven copied to clipboard
verified publisher icon apache

Upgrade maven 3.8 to use commons-lang3 >= 3.18.0 (CVE-2025-48924 GHSA-j288-q9x7-2f5v)

Open aborrero opened this issue 5 months ago • 2 comments

Affected version

3.8.x

Bug description

Please consider making the required changes to upgrade the maven-3.8.x branch to support commons-lang3 >= 3.18.0.

As of today, commons-lang3 is set to 3.8.1 in https://github.com/apache/maven/blob/maven-3.8.x/pom.xml#L54 which is affected by CVE-2025-48924.

See also: https://github.com/advisories/GHSA-j288-q9x7-2f5v

thanks in advance.

aborrero avatar Jul 17 '25 10:07 aborrero

worth mentioning that when I tried to update this myself, just replacing the numbers, I got something like this:

[INFO] Restricted to JDK 1.7 yet org.apache.commons:commons-lang3:jar:3.18.0:compile contains org/apache/commons/lang3/AnnotationUtils$1.class targeted to JDK 8
[..]
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (enforce-bytecode-version) on project maven-artifact: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]

So I guess more work is required beyond updating the numbers.

aborrero avatar Jul 17 '25 10:07 aborrero

reference:

  • https://github.com/apache/maven-site/pull/842

slawekjaranowski avatar Jul 17 '25 10:07 slawekjaranowski