Update commons-beanutils

[aalmiray]

Sonatype Lift reports:

[CVE-2014-0114] CWE-20: Improper Input Validation
[CVE-2019-10086] CWE-502: Deserialization of Untrusted Data

[eric-milles]

Also [CVE-2025-48734] CWE-470: Use of Externally-Controlled Input to Select Classes or Code

Could we get a release with commons-beanutils 1.11.0?

[aalmiray]

IIRC commons-beanutils 1.9.4 broke some tests after we tried an upgrade from 1.9.3 and thus we kept the old dependency. This means 1.9.4 brings a change in behavior that we have yet to determine where and how.

I can give it another go with latest commons-beanutils and see if it works.

[meenakshinvTR]

[CVE-2025-48734] CWE-470: Use of Externally-Controlled Input to Select Classes or Code
Do we have any updates on the commons-beanutils?

[aalmiray]

Given the description on that CVE report I don't see how an attacker would leverage the exploit directly through json-lib's JSON parser/marshaller. Other than having the old dependency available in classpath and exploiting another library/dependency.

As mentioned earlier, beanutils 1.9.4 broke behavior compatibility when compared to 1.9.3. We've yet to find the actual cause. Upgrading to latest beanutils 1.x+ may incur in other breakages.

I'll take time this week to investigate.

[aalmiray]

Upgrading to commons-beanutils 1.11.0 yields 4 test failures

[TestJSONObject](https://github.com/kordamp/json-lib/issues/classes/org.kordamp.json.TestJSONObject.html). [testElement_Bean_exclusions_ignoreDefault](https://github.com/kordamp/json-lib/issues/classes/org.kordamp.json.TestJSONObject.html#testElement_Bean_exclusions_ignoreDefault)
[TestJSONObject](https://github.com/kordamp/json-lib/issues/classes/org.kordamp.json.TestJSONObject.html). [testElement_Collection2_exclusions_ignoreDefault](https://github.com/kordamp/json-lib/issues/classes/org.kordamp.json.TestJSONObject.html#testElement_Collection2_exclusions_ignoreDefault)
[TestJSONObjectStaticBuilders_ObjectBean](https://github.com/kordamp/json-lib/issues/classes/org.kordamp.json.TestJSONObjectStaticBuilders_ObjectBean.html). [testFromObject_excludes_ignoreDefaults](https://github.com/kordamp/json-lib/issues/classes/org.kordamp.json.TestJSONObjectStaticBuilders_ObjectBean.html#testFromObject_excludes_ignoreDefaults)
[TestJSONObjectStaticBuilders_PrimitiveBean](https://github.com/kordamp/json-lib/issues/classes/org.kordamp.json.TestJSONObjectStaticBuilders_PrimitiveBean.html). [testFromObject_excludes_ignoreDefaults](https://github.com/kordamp/json-lib/issues/classes/org.kordamp.json.TestJSONObjectStaticBuilders_PrimitiveBean.html#testFromObject_excludes_ignoreDefaults)

Which are the same failures since 1.9.4.

[eric-milles]

It looks like all the failures have to do with setIgnoreDefaultExcludes(true). Do you have more details on where this is applied and what is not working as expected?

[eric-milles]

@aalmiray Thanks for the quick response. Can you update commons-beanutils in ezmorph (transitive dependency) as well?

[aalmiray]

Would have to post a release and update here as well. Ok.

[aalmiray]

https://github.com/kordamp/json-lib/actions/runs/15737590526

[meenakshinvTR]

Could you please let us know when Kordamp 3.2.0, which will include the latest version of commons-beanutils (1.11.0), is expected to be moved to JFrog?