A newly disclosed safety flaw in Apache Commons Textual content, tracked as CVE-2025-46295, has been recognized as a distant code execution (RCE) vulnerability.
That would enable attackers to compromise methods utilizing weak variations of the library. The difficulty impacts Apache Commons Textual content variations earlier than 1.10.0, which comprise unsafe interpolation options.
That could be exploited when functions course of untrusted person enter. Apache Commons Textual content is a extensively used Java library for string manipulation and textual content substitution.
Unsafe Interpolation Options
The vulnerability stems from the library’s interpolation mechanism, which might consider expressions or reference exterior information sources dynamically.
If an software consists of user-controlled information inside the text-substitution API, attackers may craft malicious payloads to set off arbitrary code execution or work together with distant assets.
In keeping with Claris advisory particulars, this flaw has already been addressed by upgrading Apache Commons Textual content to a safe model.
RowDetailsCVE IDCVE-2025-46295Vulnerability TypeRemote Code Execution (RCE)DescriptionVulnerability in Apache Commons Textual content that permits execution of arbitrary code by way of untrusted enter in textual content interpolation.Affected VersionsApache Commons Textual content variations previous to 1.10.0Impacted ProductFileMaker Server 2025
FileMaker Server, which contains this part, has confirmed that the difficulty has been absolutely mitigated in FileMaker Server 22.0.4.
The library has been up to date to model 1.14.0. Customers working older releases stay uncovered and will prioritize making use of the most recent updates instantly.
The invention of CVE-2025-46295 underscores the continued dangers posed by transitive dependencies in fashionable software program provide chains.
Even utilities used not directly inside massive functions can introduce extreme safety weaknesses if not usually maintained or up to date.
Organizations relying on Java-based providers ought to evaluation their construct environments. Dependencies to confirm that weak variations of Apache Commons Textual content are not in use.
Claris FileMaker acknowledged and credited an nameless researcher for responsibly reporting the vulnerability.
The corporate emphasizes that preserving parts updated is important to sustaining safe deployments, notably for server-side environments uncovered to the web.
Safety groups are urged to implement the fastened launch and carry out dependency scans throughout all tasks to stop potential exploitation of this high-severity RCE flaw.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Guidelines => Begin for Free
