Migrating commons-lang 2.x to 3.x #8425
Description
https://lists.apache.org/thread/x6n655on8fl40jtm4j4gqny1qjcgnflp
Hello Team,
As you are aware, Apache Storm currently depends on commons-lang 2.6 and
this version is affected by CVE-2025-48924
https://nvd.nist.gov/vuln/detail/CVE-2025-48924 - an Uncontrolled
Recursion vulnerability. The commons-lang 2.x is end-of-life with no active
maintenance.As Storm already started using commons-lang 3.x from 2.6.0
https://issues.apache.org/jira/browse/STORM-3972, do we have plans to
migrate commons-lang from 2.x to 3.x? Which means, migrate all the internal
code references from org.apache.commons.lang* to
org.apache.commons.lang3.*, make the API level changes and fully remove the
commons-lang 2.6 dependency from all build files once migration is complete.This migration will resolve the known vulnerability, align Storm with an
actively maintained library & reduce exposure to any future vulnerabilities.