What is the severity of CVE-2025-46392?

CVE-2025-46392 is categorized as a moderate severity vulnerability due to its potential for excessive resource consumption.

How do I fix CVE-2025-46392?

To fix CVE-2025-46392, update Apache Commons Configuration to the latest version that has addressed this vulnerability.

What platforms are affected by CVE-2025-46392?

CVE-2025-46392 affects all versions of Apache Commons Configuration starting from 1.0.

What causes CVE-2025-46392?

CVE-2025-46392 is caused by uncontrolled resource consumption when loading untrusted configurations or through unexpected usage patterns in Apache Commons Configuration.

Is there a workaround for CVE-2025-46392?

A potential workaround for CVE-2025-46392 is to avoid using untrusted configuration sources until the software is upgraded.

Vulnerability/
CVE-2025-46392

CWE

400

EPSS

0.017%

9/5/2025

CVE-2025-46392: Apache Commons Configuration: Uncontrolled Resource Consumption when loading untrusted configurations in 1.x

First published: Fri May 09 2025(Updated: )

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations. Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.

Credit: security@apache.org

Affected Software	Affected Version	How to fix
Apache Commons Configuration	>=1.0
maven/commons-configuration:commons-configuration	<=1.10

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-46392?
CVE-2025-46392 is categorized as a moderate severity vulnerability due to its potential for excessive resource consumption.
How do I fix CVE-2025-46392?
To fix CVE-2025-46392, update Apache Commons Configuration to the latest version that has addressed this vulnerability.
What platforms are affected by CVE-2025-46392?
CVE-2025-46392 affects all versions of Apache Commons Configuration starting from 1.0.
What causes CVE-2025-46392?
CVE-2025-46392 is caused by uncontrolled resource consumption when loading untrusted configurations or through unexpected usage patterns in Apache Commons Configuration.
Is there a workaround for CVE-2025-46392?
A potential workaround for CVE-2025-46392 is to avoid using untrusted configuration sources until the software is upgraded.

collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/first-publish-date
agent/type
agent/guess-ai
agent/software-canonical-lookup
collector/nvd-api
source/NVD
agent/author
collector/epss-latest
source/FIRST
agent/epss
collector/github-advisory-latest
source/GitHub
alias/GHSA-pvp8-3xj6-8c6x
alias/CVE-2025-46392
agent/last-modified-date
agent/references
agent/description
agent/softwarecombine
agent/event
collector/nvd-cve
collector/oss-sec
source/oss-sec
agent/source
agent/tags
agent/trending
vendor/apache
canonical/apache commons configuration
package-manager/maven