Skip to content

Confluent Platform ships vulnerable commons-lang3 #620

New issue
New issue
Open
Open
Confluent Platform ships vulnerable commons-lang3#620
@Marcelyuser

Description

@Marcelyuser
Marcelyuser
opened on Oct 15, 2025

[Bug] Confluent Platform ships vulnerable commons-lang3 (CVE-2025-48924) under kafka-rest-lib and rest-utils

Impacted components/paths

share/java/kafka-rest-lib/commons-lang3-3.17.0.jar

share/java/rest-utils/commons-lang3-3.14.0.jar

Unaffected / Correct version present elsewhere

share/java/schema-registry/commons-lang3-3.18.0.jar

Summary

When deploying Confluent Platform for Kafka, we observed older commons-lang3 JARs bundled in the kafka-rest-lib and rest-utils directories that correspond to CVE-2025-48924. In contrast, the schema-registry module already ships commons-lang3 3.18.0, which appears to be the recommended fixed version. To ensure consistency and remediate the vulnerability, please align all components on commons-lang3 3.18.0.

Environment

Confluent Platform version: [fill in, 8.0.1]

Install method: [ tar/zip ]

OS/Arch: [ Red Hat Enterprise Linux release 8.10 ]

How to reproduce

Install/deploy Confluent Platform.

Inspect bundled JARs:

ls -1 share/java/kafka-rest-lib/ | grep commons-lang3
ls -1 share/java/rest-utils/ | grep commons-lang3
ls -1 share/java/schema-registry/ | grep commons-lang3

Observe:

share/java/kafka-rest-lib/commons-lang3-3.17.0.jar

share/java/rest-utils/commons-lang3-3.14.0.jar

share/java/schema-registry/commons-lang3-3.18.0.jar

Actual behavior

kafka-rest-lib uses commons-lang3-3.17.0.jar.

rest-utils uses commons-lang3-3.14.0.jar.

These versions are flagged under CVE-2025-48924.

Expected behavior

All platform components should consume a patched commons-lang3 version, ideally matching what schema-registry already uses: 3.18.0.

Proposed remediation

Update commons-lang3 to 3.18.0 in:

share/java/kafka-rest-lib/

share/java/rest-utils/

Keep versions consistent across all modules to avoid CVE drift.

Potential impact

Reduces exposure to CVE-2025-48924 in REST-related services.

Aligns dependency hygiene with schema-registry’s already-fixed state.

Additional context / artifacts

If helpful, I can provide:

mvn dependency:tree / jar tf outputs for affected services

SBOM or scanner reports (e.g., Trivy/Grype) highlighting CVE-2025-48924

Thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions