From ad34bfb0a57a0cb9c0f375bb82544f6b20fe53d3 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Mon, 4 Aug 2025 15:39:49 +0200
Subject: [PATCH] [SOLR-17822] Document non-exploitability of CVE-2025-48924
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This update documents that CVE-2025-48924 is **not exploitable** in Apache Solr, based on detailed dependency analysis and code path evaluation.

### Summary

Although Solr includes the vulnerable **Commons Lang** library and transitive dependencies such as **Commons Text** and **Commons Configuration**, the conditions required for exploitation are **not met** in any Solr execution paths.

### Detailed Analysis

* The vulnerable Commons Lang functionality is only exercised via **Commons Text**.
* According to the [Apache Commons Text VEX document](https://raw.githubusercontent.com/apache/commons-text/refs/heads/master/src/conf/security/VEX.cyclonedx.xml), exploitation is limited to the use of **`StringSubstitutor`** and **`StringLookup`**.
* These classes are **not used directly** in Solr’s codebase.
* Commons Text is only included in two Solr modules:

  * `solr-sql`
  * `solr-hadoop-auth`
* Neither module makes any direct or indirect use of the vulnerable classes.
* The only dependency that uses these classes is **Commons Configuration**, which is pulled in transitively via **Hadoop**.

  * Specifically, it is used by the `MetricsConfig` class in the `hadoop-common` library.
  * This code path parses only the `hadoop-metrics2.properties` file, which is considered a **trusted configuration file**, typically provided by the system administrator.

As a result, the vulnerable expression interpolation logic is **never invoked with untrusted input**, and Solr **does not meet the conditions for exploitability** outlined in the [Apache Commons Configuration VEX document](https://raw.githubusercontent.com/apache/commons-configuration/refs/heads/master/src/conf/security/VEX.cyclonedx.xml).

### References

* [Apache Commons Text VEX document](https://raw.githubusercontent.com/apache/commons-text/refs/heads/master/src/conf/security/VEX.cyclonedx.xml)
* [Apache Commons Configuration VEX document](https://raw.githubusercontent.com/apache/commons-configuration/refs/heads/master/src/conf/security/VEX.cyclonedx.xml)
---
 vex-input.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/vex-input.json b/vex-input.json
index 2a376ef98..c43a4bf52 100644
--- a/vex-input.json
+++ b/vex-input.json
@@ -1,4 +1,18 @@
 [
+  {
+    "ids": [
+      "CVE-2025-48924"
+    ],
+    "versions": "9.0.0\u20139.9.0",
+    "jars": [
+      "commons-lang3-<version>.jar"
+    ],
+    "analysis": {
+      "state": "not_affected",
+      "justification": "code_not_reachable",
+      "detail": "The vulnerable functionality is only reachable via `commons-configuration2`, which is used in Solr's Hadoop Kerberos support (`solr-hadoop-auth`) to load administrator-provided Hadoop configuration files. As such, the vulnerability is not exploitable in Solr."
+    }
+  },
   {
     "ids": [
       "CVE-2024-51504"