CVE-2022-42889 — Text4Shell — Apache Commons Text CRITICAL

Q: What is Text4Shell?

Text4Shell (CVE-2022-42889) is an RCE vulnerability in Apache Commons Text. The StringSubstitutor class supports variable interpolation including script:, url:, and dns: prefixes. If untrusted input reaches a StringSubstitutor call, attackers can execute arbitrary code or trigger DNS lookups for exfiltration.

Q: How is Text4Shell different from Log4Shell?

Both use variable interpolation as the attack vector. Log4Shell affects logging via JNDI. Text4Shell affects string manipulation via StringSubstitutor. Text4Shell requires the application to directly pass untrusted input to StringSubstitutor — the attack surface is smaller but still significant.

Q: What is the fix for Text4Shell?

Upgrade commons-text to 1.10.0 or later (1.12.0 recommended). The fix disables the dangerous interpolation prefixes by default. Paste your pom.xml into PackageFix to check your current version.

Q: Am I affected if I don't call StringSubstitutor directly?

You may still be affected if a library you depend on uses Commons Text internally. Paste your pom.xml into PackageFix to check transitive dependencies.

Q: Is Text4Shell on CISA KEV?

Yes — CISA added CVE-2022-42889 to the Known Exploited Vulnerabilities catalog confirming active exploitation.

🔴 CISA KEV — Actively Exploited

CVSS Score: 9.8 · CRITICAL Severity

Text4Shell is a critical remote code execution vulnerability in Apache Commons Text's StringSubstitutor. Variable interpolation in strings can be abused to execute arbitrary code via script:, url:, or dns: lookup prefixes — similar in mechanism to Log4Shell. Affects any application using StringSubstitutor or StringLookupFactory with untrusted input.

Affected Packages

Ecosystem	Package	Vulnerable	Safe version	Fix
Java/Maven	commons-text	< 1.10.0	1.12.0	Fix guide →

Vulnerability Timeline

Oct 13, 2022CVE published. Immediately compared to Log4Shell in severity.

Oct 17, 2022Apache Commons Text 1.10.0 released with fix.

Oct 18, 2022CISA adds to KEV catalog.

Nov 2022Security researchers confirm active exploitation attempts.

2023–2026Ongoing exploitation in unpatched systems.

Paste your manifest — get back a fixed version with all CVEs patched in seconds.

Open PackageFix →

No signup · No CLI · No GitHub · Runs 100% in your browser

Frequently Asked Questions

What is Text4Shell?

Text4Shell (CVE-2022-42889) is an RCE vulnerability in Apache Commons Text. The StringSubstitutor class supports variable interpolation including script:, url:, and dns: prefixes. If untrusted input reaches a StringSubstitutor call, attackers can execute arbitrary code or trigger DNS lookups for exfiltration.

How is Text4Shell different from Log4Shell?

Both use variable interpolation as the attack vector. Log4Shell affects logging via JNDI. Text4Shell affects string manipulation via StringSubstitutor. Text4Shell requires the application to directly pass untrusted input to StringSubstitutor — the attack surface is smaller but still significant.

What is the fix for Text4Shell?