By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-47554

Denial of Service
Affects
Apache Commons IO
in
No items found.
Versions
>=2.0 <2.14.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Commons IO is a library of utilities to assist with developing IO functionality. The library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more. It is widely used across the Java ecosystem to simplify common input/output operations.

A Denial of Service (DoS) vulnerability (CVE-2024-47554) has been identified in Apache Commons IO's XmlStreamReader class. This vulnerability allows attackers to excessively consume CPU resources when processing maliciously crafted XML input, potentially rendering the application unresponsive.

According to OWASP, a Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives specially crafted input that exploits resource consumption flaws, it may cease to be available to legitimate users.

This issue affects multiple versions of Apache Commons IO.

Details

Module Info

Vulnerability Info

The security flaw exists in the org.apache.commons.io.input.XmlStreamReader class within Apache Commons IO. When this class processes XML input, it performs character encoding detection. With maliciously crafted input, the encoding detection logic can be exploited to cause excessive CPU consumption.

An application is vulnerable if:

  • It uses Apache Commons IO versions from 2.0 before 2.14.0
  • The application processes XML input from untrusted sources using the XmlStreamReader class
  • The XML input can be controlled or influenced by users external to the application/system.

Mitigation

Only recent versions of Apache Commons IO are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected versions to supported versions of Apache Commons IO (2.14.0 or later)
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • CodeQL (tool)

Pink arrow
Pink arrow
No items found.
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-47554
PROJECT Affected
Apache Commons IO
Versions Affected
>=2.0 <2.14.0
Published date
October 15, 2025
≈ Fix date
October 14, 2025
Fixed in
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.