Description
Uncontrolled Recursion vulnerability in Apache Commons.

When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.
This issue affects Apache Commons: from 2.2 before 2.15.0.

Users are recommended to upgrade to version 2.15.0, which fixes the issue.
Published: 2026-05-14
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled recursion that causes a StackOverflowError when Apache Commons Configuration processes YAML files containing cyclic references. The flaw results in an application crash, which can lead to denial of service. The weakness aligns with CWE‑674, indicating an infinite recursion bug.

Affected Systems

Apache Software Foundation’s Apache Commons Configuration library versions earlier than 2.15.0 are impacted. This includes all releases from 2.2 up to just before 2.15.0. Systems that load or parse untrusted YAML configuration files using these versions are vulnerable.

Risk and Exploitability

The flaw has no publicly disclosed exploitation code, but an attacker can trigger it simply by supplying a crafted YAML document with cyclical references. Because the error propagates to a stack overflow, the impact is a crash of the process hosting the library, potentially leading to service unavailability. No EPSS score is available, and the vulnerability is not listed in CISA KEV, but the lack of a bound to a particular remote execution makes the risk primarily availability-focused. Prior to the update, any component that reads untrusted configuration files is at risk.

Generated by OpenCVE AI on May 14, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Apache Commons Configuration 2.15.0
  • Restrict the source of YAML configuration files to trusted administrators and enforce strict input validation to reject cyclic references
  • Re‑architect configuration handling so that configuration files are processed by a dedicated secure service with limited exposure

Generated by OpenCVE AI on May 14, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache commons Configuration
Vendors & Products Apache
Apache commons Configuration

Thu, 14 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0. Users are recommended to upgrade to version 2.15.0, which fixes the issue.
Title Apache Commons Configuration: StackOverflowError for YAML input with cycles
Weaknesses CWE-674
References

Subscriptions

Apache Commons Configuration
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-14T11:22:43.908Z

Reserved: 2026-05-11T13:16:23.243Z

Link: CVE-2026-45205

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-14T12:16:35.687

Modified: 2026-05-14T12:16:35.687

Link: CVE-2026-45205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T13:00:13Z

Weaknesses