Log4Shell Successor: Critical RCE in Apache Commons Text Exploitation Surges
A critical vulnerability in Apache Commons Text string interpolation is being mass-exploited at year's end, with attackers deploying cryptominers and ransomware through the widely-embedded Java library.
CVE References
Affected
What happened: A critical remote code execution vulnerability in Apache Commons Text is being actively exploited in mass attacks as the year closes. The vulnerability exists in the library's string interpolation functionality, which allows code execution through specially crafted strings processed by applications using the library. Similar to the Log4Shell vulnerability in its widespread impact, the flaw affects any Java application that passes user-controlled input through Commons Text's string lookup features. Exploitation campaigns are deploying cryptominers, web shells, and ransomware.
Technical details: CVE-2025-49301 affects the StringSubstitutor class in Apache Commons Text, which supports multiple interpolation lookups including DNS, URL, and script engine lookups. Attackers can craft input strings containing interpolation sequences like ${script:javascript:...} or ${url:...} that are evaluated when the application processes the string through StringSubstitutor. The script engine lookup enables arbitrary code execution through embedded JavaScript or other Java scripting languages. Unlike Log4j's JNDI lookup, Commons Text lookups are more diverse and enable multiple exploitation paths. The library is embedded in thousands of Java applications and is often a transitive dependency.
Who is affected: Any Java application that uses Apache Commons Text for string processing and passes user-controlled input through the StringSubstitutor or StringLookup classes. Enterprise web applications, middleware, and SaaS platforms built on Java are commonly affected. The library's presence as a transitive dependency means many application developers may not be aware they are using it.
What defenders should do: Audit Java applications for Apache Commons Text usage, including as a transitive dependency (use mvn dependency:tree or gradle dependencies). Update to the patched Commons Text version that disables dangerous lookups by default. If updating is not possible, set the system property to disable script and URL interpolations. Deploy WAF rules to block common interpolation patterns in HTTP requests. Monitor for exploitation indicators including unusual outbound DNS queries and unexpected process execution from Java applications.
Broader implications: The Apache Commons Text vulnerability reinforces that the Java string interpolation attack surface extends well beyond Log4j. The challenge of discovering and patching deeply embedded transitive dependencies in the Java ecosystem remains unsolved at scale. This incident demonstrates that the software supply chain problem is not limited to intentional tampering — widely-used libraries with dangerous default behaviors can be just as impactful. The year closes with a reminder that fundamental software security challenges persist despite increased awareness and investment following Log4Shell.
Sources