From 27a72b20ab6d4962afcd72ad072b1ea623a5d71f Mon Sep 17 00:00:00 2001
From: Gary Gregory <garydgregory@gmail.com>
Date: Wed, 27 May 2026 15:15:56 -0400
Subject: [PATCH] [LANG-1801] RandomStringUtils.random() does not strictly
 validate start/end when chars != null, causing potential
 IndexOutOfBoundsException

---
 src/main/java/org/apache/commons/lang3/RandomStringUtils.java | 4 ++++
 .../java/org/apache/commons/lang3/RandomStringUtilsTest.java  | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java
index 4795fb0d620..40a5dc74434 100644
--- a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java
+++ b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java
@@ -276,6 +276,10 @@ public static String random(int count, int start, int end, final boolean letters
             throw new IllegalArgumentException(String.format("Parameter end (%,d) must be greater than start (%,d)", end, start));
         } else if (start < 0 || end < 0) {
             throw new IllegalArgumentException("Character positions MUST be >= 0");
+        } else if (chars != null && start >= chars.length) {
+            throw new IllegalArgumentException("start >= chars.length");
+        } else if (chars != null && end > chars.length) {
+            throw new IllegalArgumentException("end > chars.length");
         }
         if (end > Character.MAX_CODE_POINT) {
             // Technically, it should be `Character.MAX_CODE_POINT+1` as `end` is excluded
diff --git a/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java b/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java
index 7ccd9e48bb5..68f646290a3 100644
--- a/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java
+++ b/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java
@@ -134,7 +134,8 @@ void testExceptionsRandom() {
         assertIllegalArgumentException(() -> RandomStringUtils.random(8, 32, 48, false, true));
         assertIllegalArgumentException(() -> RandomStringUtils.random(8, 32, 65, true, false));
         assertIllegalArgumentException(() -> RandomStringUtils.random(1, Integer.MIN_VALUE, -10, false, false, null));
-    }
+        assertIllegalArgumentException(() -> RandomStringUtils.random(2, 4, 5, false, false, new char[] { 'a', 'b', 'c', 'd' }, new Random()));
+        assertIllegalArgumentException(() -> RandomStringUtils.random(2, 1, 5, false, false, new char[] { 'a', 'b', 'c', 'd' }, new Random()));    }
 
     @ParameterizedTest
     @MethodSource("randomProvider")