ajay kumar created SPARK-55972:
----------------------------------
Summary: Security Issue :commons-lang-2.6 Dependency in Apache
Spark (CVE-2025-48924)
Key: SPARK-55972
URL: https://issues.apache.org/jira/browse/SPARK-55972
Project: Spark
Issue Type: Bug
Components: Spark Core
Affects Versions: 4.1.1
Reporter: ajay kumar
The security advisory *CVE-2025-48924* recommends upgrading
*{{commons-lang-2.6}}* to {*}{{commons-lang3-3.18}}{*}.
[https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
this dependency originates from *Apache Spark dependency jars*
Apache Spark latest currently loads {*}both libraries simultaneously{*}:
* {{commons-lang-2.6.0.jar}}
* {{commons-lang3-3.18.0.jar}}
This occurs because:
* {{commons-lang}} (v2.x) and {{commons-lang3}} (v3.x) use *different Java
packages*
* Legacy Spark components still reference {*}{{org.apache.commons.lang.}}{*}*
* Newer modules use {*}{{org.apache.commons.lang3.}}{*}*
If {*}{{commons-lang-2.6.0.jar}} is removed{*}, the Spark runtime encounters
{*}class loading failures{*}, which results in runtime errors in spark
Therefore, *removing or replacing the library is not currently feasible without
breaking dependencies*
*Can you please fix it in latest release and back port the fix in previous
release 3.5.0 also*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
