All Apache Commons Text CVEs — Complete Vulnerability History
Commons Text is Apache's string manipulation library. CVE-2022-42889 (Text4Shell) is on CISA KEV — it allows RCE via string interpolation. The attack surface is smaller than Log4Shell but the severity is equivalent.
Java/Maven
Millions weekly downloads
1 CVE total
1 CRITICAL
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2022-42889 | 2022 | 🔴CRITICAL | Text4Shell — RCE via string interpolation — CISA KEV | Fixed 1.10.0 |
Current safe version: 1.12.0
# Before
"commons-text.version>1.9# After"commons-text.version>1.12.0Then run:
mvn dependency:resolvePaste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
How is Text4Shell different from Log4Shell?Both use variable interpolation as the attack vector. Log4Shell exploits JNDI lookups in log messages. Text4Shell exploits StringSubstitutor's script:, dns:, and url: interpolation prefixes. Text4Shell requires the application to explicitly pass untrusted input to StringSubstitutor.Is commons-text widely used?Not as widely as Log4j, but it appears in many enterprise Java applications and Spring projects. Run mvn dependency:tree | grep commons-text to check.Does 1.10.0 fix all Text4Shell bypasses?1.10.0 disables the dangerous interpolation prefixes by default. There have been no confirmed bypasses of the 1.10.0 fix. 1.12.0 is the current latest version.Related