For the CVE description, see https://www.cve.org/CVERecord?id=CVE-2025-48924. For the references in source, see https://github.com/search?q=repo%3ANetflix%2Fzuul+commons-lang%3Acommons-lang&type=code

The fix is to upgrade from common-lang:commons-lang:2.6 to org.apache.commons:commons-lang3:3.18.0 or later.

The CVE was published July 11, 2025 and has been scored between Low and High:

• https://security.snyk.io/vuln/SNYK-JAVA-COMMONSLANG-10734077 has an 8.8 CVSS "Base Score" which makes it a High.
• https://nvd.nist.gov/vuln/detail/CVE-2025-48924 says "Awaiting Analysis" but has a CVSS 3.x "ADP: CISA-ADP" base score of 5.3 (Medium)
• https://access.redhat.com/security/cve/cve-2025-48924 lists a CVSS v3 of 3.7 (Low)
• https://www.suse.com/security/cve/CVE-2025-48924.html gives it a 4.7 for CVSS v3 and a 5.7 for CVSS v4

Looks like (in Zuul 2.5.10), zuul-core pulls this in via:

• commons-configuration:commons-configuration:1.10 which is depended on by com.netflix.archaius:archaius-core:0.7.12
• com.netflix.ribbon:ribbon-core:2.4.4 which is dependended on by com.netflix.ribbon:ribbon-loadbalancer:2.4.4
• com.netflix.ribbon:ribbon-archaius:2.4.4

Looks like latest archaius doesn't have common-lang:commons-lang:2.6 dependency but ribbon does and ribbon hasn't released in a few years.

Upgrading commons-lang is complicated by the fact that they changed the package from org.apache.commons.lang to org.apache.commons.lang3. See https://commons.apache.org/proper/commons-lang/article3_0.html#Migrating_from_2.x

Curious if Zuul project would address this dependency getting pulled in in the last Zuul release.