https://github.com/apache/storm/pull/8424
On Thu, 12 Mar 2026 at 21:21, Rui Abreu <[email protected]> wrote: > > Please open an issue for it in Github. If you are unable to open a PR, > we can try to pick it up. > > On Thu, 12 Mar 2026 at 15:55, Richard Zowalla <[email protected]> wrote: > > > > Hi, > > > > Feel free to propose this change in a PR :) > > > > Gruß > > Richard > > > > > Am 12.03.2026 um 10:26 schrieb YUGENDRAN R S <[email protected]>: > > > > > > Hello Team, > > > > > > As you are aware, Apache Storm currently depends on commons-lang 2.6 and > > > this version is affected by CVE-2025-48924 > > > <https://nvd.nist.gov/vuln/detail/CVE-2025-48924> - an Uncontrolled > > > Recursion vulnerability. The commons-lang 2.x is end-of-life with no > > > active > > > maintenance. > > > > > > As Storm already started using commons-lang 3.x from 2.6.0 > > > <https://issues.apache.org/jira/browse/STORM-3972>, do we have plans to > > > migrate commons-lang from 2.x to 3.x? Which means, migrate all the > > > internal > > > code references from org.apache.commons.lang* to > > > org.apache.commons.lang3.*, make the API level changes and fully remove > > > the > > > commons-lang 2.6 dependency from all build files once migration is > > > complete. > > > > > > This migration will resolve the known vulnerability, align Storm with an > > > actively maintained library & reduce exposure to any future > > > vulnerabilities. > > > > > > > > > Thanks > > > Yugendran
