Apache Commons Text: Code injection vulnerability in older versions

In the “Apache Commons Text” library, developers have discovered a security vulnerability. It allows attackers to inject and execute malicious code from the network. An update has been available for a very long time – however, the component has apparently not yet been updated in some software projects.

The vulnerability description discusses that before version 1.10.0, interpolation functions were included in Apache Commons Text that could be misused if applications passed untrusted input to the text substitution API. Since some interpolators could trigger actions such as executing commands or accessing external resources, this may allow attackers to inject and execute malicious code from the network (CVE-2025-46295, CVSS 9.8, risk “critical”).

This is reminiscent of a vulnerability in Apache Commons Text, which the project already patched at the end of 2022 – with the same version that now closes the discovered security vulnerability, Apache Commons Text 1.10.0. The vulnerability at the time was already reminiscent of the Log4j disaster from 2021, as is the now-reported security vulnerability.

Vulnerable library in other software packages

The issue was noticed by an “anonymous IT researcher” who discovered the problem in FileMaker Server. According to the manufacturer Claris' security notice, the developers have updated the Apache Commons Text library to version 1.14.0 and incorporated this into FileMaker Server 22.0.4.

Anyone using the “Apache Commons Text” library should ensure they are using at least version 1.10.0. However, it is better to use the current version 1.15.0 from early December 2025. The project provides both binary files and source code for download on the Apache website, which IT managers can use to do this.

(dmk)