Upgrade to Apache Configuration 2 due to CVE-2025-46392 #1419
Description
Report from Vishnu:
Good day.
We need an advice on below
We’ve identified a security vulnerability (CVE-2025-46392) in the Apache Commons Configuration 1.10 library during a FOSSA scan in our organization. This library is currently used as a transitive dependency in the Spline project.
Summary of the Issue:
Library: commons-configuration:commons-configuration:1.10
Vulnerability: Uncontrolled Resource Consumption (CWE-400)
Severity: High (Availability Impact)
Fix: No fix available for 1.x; migration to 2.x recommended
Reference: Apache Commons Configuration
According to public sources, the Apache team has confirmed that the 1.x line will not be patched. Users are advised to migrate to the 2.x line, which addresses these issues. While 2.x is not a drop-in replacement, it uses a different Maven groupId and Java package namespace, allowing both versions to coexist during a phased migration.
Request:
Could you please confirm if there are any plans to upgrade to Apache Commons Configuration 2.x in the Spline project?
If not, would you be open to a contribution or collaboration to help facilitate this migration?
Additionally, do you foresee any potential issues or compatibility concerns if we were to migrate to 2.x on our end?
Looking forward to your thoughts.