[FP]: CVE-2025-46295

[marcelstoer]

Package URl

pkg:maven/org.apache.commons/commons-text@1.10.0

CPE

cpe:2.3:a:org.apache.commons:commons-text:1.10.0:::::::*

CVE

CVE-2025-46295

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.1.9

Description

https://nvd.nist.gov/vuln/detail/CVE-2025-46295 claims

Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API.

That may be so - or not. The CVE is actually for Apple FileMaker which apparently had used commons-text < 1.10. Apart from that, the CVE contains very little information.

Note that you may also bump commons-text to the latest 1.15 for ODC to not report it anymore.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/20343288837

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/20343393400

[chadlwilson]

The CPE isn't correct here? Having said this, the NVD entry doesn't have a CPE mapping right now, so this mustn't be coming from NVD - it's coming from OSSIndex.

This is basically a duplicate of CVE-2022-42889 in the context of Filemaker however OSSIndex is tagging it incorrectly against commons-text (where it would be a duplicate) rather than just against Apple/Claris Filemaker. The CVE is poorly worded, which causes the normal confusion for researchers/AI/whatever that just tags things willy-nilly.

In either case, not something we'd do anything about here; data would need to be fixed upstream at OSSIndex.

[marcelstoer]

Chad, you were right to question this. I still feel uncertain as to when to create a false-positive suppression and when not to.

In this specific case it appears that OSSIndex has since corrected this.