Skip to content

CVE-2025-48924, CVE-2025-8885, CVE-2025-8916: Vulnerable commons-lang3, bouncycastle fips, bcprov #19148

New issue
New issue
Closed
Closed
CVE-2025-48924, CVE-2025-8885, CVE-2025-8916: Vulnerable commons-lang3, bouncycastle fips, bcprov#19148
Labels
LibrariesLucene Upgrades and Libraries, Any 3rd party library that Core depends on, ex: nebula; team is respobugSomething isn't working
@architgoyal2

Description

@architgoyal2
architgoyal2
opened on Aug 26, 2025

We are using opensearch and opensearch-security dependencies in our products and the 2.19.x versions are vulnerable to these, can we maintain/release the 2.19 branch once the fixes are merged.

Multiple vulnerabilities have been identified in dependencies used by opensearch and opensearch-security. These are tracked under the following CVEs:

  1. commons-lang3org.apache.commons:commons-lang3

CVE: CVE-2025-48924
Current Version in Use: 3.17.0
Fixed Version Available: 3.18.

  1. BouncyCastle FIPSorg.bouncycastle:bc-fips

CVE: CVE-2025-8885
Current Version in Use: 2.0.0
Fixed Version Available: 2.1.0

  1. BouncyCastle Provider — org.bouncycastle:bcprov-jdk18on

CVE: CVE-2025-8916
Current Version in Use: 1.78
Fixed Version Available: 1.79

These are the Vulnerable paths -

opensearch/plugins/opensearch-security@* › org.apache.commons:commons-lang3@3.14.0
opensearch/lib/tools/plugin-cli@* › org.bouncycastle:bc-fips@2.0.0
/opensearch/plugins/opensearch-security@* › org.bouncycastle:bcprov-jdk18on@1.78

Impact

  1. commons-lang3CVE-2025-48924
    This vulnerability in commons-lang3 may allow attackers to trigger improper input validation, potentially
    leading to unexpected application behavior or exposure of sensitive information. Applications relying on
    StringUtils and similar utilities could be affected if user-controlled input is not sanitized.

  2. bc-fipsCVE-2025-8885
    The bc-fips module is affected by a cryptographic weakness that could undermine the guarantees of FIPS-
    compliant encryption. An attacker with knowledge of this flaw may be able to weaken or bypass security
    controls that depend on BouncyCastle FIPS algorithms.

  3. bcprov-jdk18onCVE-2025-8916
    This CVE in bcprov-jdk18on relates to improper handling of cryptographic operations. Exploitation may result
    in reduced cryptographic strength, information disclosure, or—in some cases—remote attacks against
    applications using the vulnerable algorithms.

Proposed Recommendation

commons-lang3: Upgrade to ≥ 3.18.0
bc-fips: Upgrade to ≥ 2.1.0
bcprov-jdk18on: Upgrade to ≥ 1.79

Related component

Libraries

Metadata

Metadata

Assignees

No one assigned

    Labels

    LibrariesLucene Upgrades and Libraries, Any 3rd party library that Core depends on, ex: nebula; team is respobugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions