Vulnerability scans might report CVE-2025-48924 in tc Server versions can include but are not limited to:

• 10.1.43.C
• 4.1.45
• 4.1.46
• 4.1.47

Foundations running tc Server

CVE-2025-48924 is detailed as a medium severity in the NIST vulnerability database, described as:

Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

While the tc Server versions mentioned in this article use versions of Apache Commons containing vulnerability CVE-2025-48924, their usage within the product does not expose them to this vulnerability.

The tc Server engineering team has reviewed vulnerability CVE-2025-48924 to ascertain exposure on the tc Server components and confirmed that the CVE is a non-issue for tc Server.

The tc Server CLI (tc-server-10.1) uses the commons lang in a very limited manner. The affected class/method (ClassUtils.getClass()) isn't used at all in tc Server. Furthermore, this dependency is for the tc Server CLI and not the runtime.

Therefore, if there was anything to exploit, the user running the tc Server CLI would need to be trusted anyways and if they wanted to do a malicious act they could do far more damage than attempting any type of exploit through this CVE.

While this affected class/method exposed in this vulnerability isn't exposed, the tc Server engineering team has added the commons lang dependency to the list of updates for the next release of tc Server 4.1.48 and 10.1.44.D.