Uncontrolled Recursion: Apache Commons Config 2.2-2.15 YAML StackOverflow
CVE-2026-45205 Published on May 14, 2026

Apache Commons Configuration: StackOverflowError for YAML input with cycles
Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0. Users are recommended to upgrade to version 2.15.0, which fixes the issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-45205 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Type

What is a Stack Exhaustion Vulnerability?

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

CVE-2026-45205 has been classified to as a Stack Exhaustion vulnerability or weakness.


Products Associated with CVE-2026-45205

Want to know whenever a new CVE is published for Apache Commons Configuration? stack.watch will email you.

Apache Commons Configuration
 

Affected Versions

Apache Software Foundation Apache Commons Configuration: