Elasticsearch 8.18.4 has uncontrolled recursion CVE

Doc_Kaos · July 25, 2025, 7:23pm

Hey team, we're looking at ES 8.18.4 and getting an issues with an uncontrolled recursion vulnerability from Snyk. Can anyone tell me if this is already in the works, or a ticket I can link to for my team?

Testing docker.elastic.co/elasticsearch/elasticsearch:8.18.4...

Tested 8 dependencies for known issues, found 1 issue.

Issues to fix by upgrading:

Upgrade org.apache.commons:commons-lang3@3.9 to org.apache.commons:commons-lang3@3.18.0 to fix
✗ Uncontrolled Recursion (new) [High Severity][Uncontrolled Recursion in org.apache.commons:commons-lang3 | CVE-2025-48924 | Snyk] in org.apache.commons:commons-lang3@3.9
introduced by org.apache.commons:commons-lang3@3.9

DavidTurner · July 28, 2025, 2:07pm

We can't discuss security vulnerabilities in public channels such as this forum, sorry. Please follow these instructions about reporting potential security vulnerabilities instead. Note that a published vulnerability in a dependency does not indicate whether Elasticsearch itself has a similar vulnerability. It may be that Elasticsearch uses the dependency in a way that prevents the issue from occurring.

Topic		Replies	Views
Elasticsearch 7.13.3 and 6.8.17 Security Update Security Announcements	1	14736	November 4, 2022
Lucene vulnerability in elastic search Elasticsearch	2	104	November 14, 2024
Elasticsearch 7.17.24 and 8.15.1 Security Update (ESA-2024-37) Security Announcements	0	1946	April 8, 2025
Elasticsearch 8.15.1 Security Update (ESA-2024-34) Security Announcements	0	1487	April 8, 2025
Vulnerable Apache Lucene in ElasticSearch 7.17.28 Elasticsearch	4	210	March 10, 2025

Elasticsearch 8.18.4 has uncontrolled recursion CVE

Related topics