Recent changes to support-requests

#130 Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

2026-02-23T15:29:06.838000Z

On my end, the reason I didn't question this is I wasn't expecting spring-boot to not be using the latest version. They decided not the backport the change to the 3.5 branch

if you're curious: https://github.com/spring-projects/spring-boot/issues/46437

Also IntelliJ's dependency analyser doesn't tell me that the version is coming from spring-boot pining that version.

Anyway thanks, problem solved ;)

#130 Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

2026-02-23T15:21:42.104000Z

No worries - I cannot count the number of times I have been personally burned by overriding transitive dependencies and so I am not surprised when I get a couple of these tickets every year. I was just surprised that I had two this close together.

Scott :)

#130 Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

2026-02-23T13:51:23.451000Z

Hi Scott.

Indeed, I don't know how I missed that. Seems I'm having the same issue described in that other ticket.

Sorry for the dup. I'll be more careful in the future.

#130 Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

2026-02-23T13:06:56.415000Z

Hello Laurent.

Make sure you are using version 5.12.0 as that is using 3.18.0. If you are using 5.12.0 then look at https://sourceforge.net/p/opencsv/feature-requests/175/ for possible solution.

The snapshot version does use 3.20.0 but it is just dependency updates thus far so there has not been a reason to update. Here again if you want to force 3.20.0 then look at the above feature request for the solution.

Hope that helps.

Scott Conway :)

Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

2026-02-23T09:49:00.434000Z

Hi, just a heads-up that the transitive dependency org.apache.commons:commons-lang3 pulled in by opencsv is currently pinned to version 3.17.0, which is affected by CVE-2025-48924 (CVSS 5.3).

The vulnerability involves uncontrolled recursion in ClassUtils.getClass(...), which can throw a StackOverflowError on very long inputs and potentially cause the application to stop. The fix was introduced in version 3.18.0.

Would it be possible to upgrade this dependency to 3.20.0 (current latest)? Thanks for maintaining opencsv!

Reference: https://www.mend.io/vulnerability-database/CVE-2025-48924

Add column name or index information in CsvException

2025-11-17T19:09:08.587000Z

CsvDataTypeMismatchException exceptions do not have the index or column name. Could you add support for getting the column name or index information in the exception?

#127 commons-beanutils update to 1.10.1

2025-08-03T17:11:26.293000Z

status: open --> closed

#128 Upate opencsv to take latest jar of commons-beanutils to fix CVE-2025-48734

2025-06-11T14:32:26.633000Z

commons-beanutils2 would also fix sonatype-2024-3350 as this is coming transitively from commons-collections 3.x

#127 commons-beanutils update to 1.10.1

2025-06-11T14:29:50.722000Z

A better move would be to consider commons-beanutils2, as commons-beanutils 1.x contains commons-collections 3.x, which has sonatype-2024-3350

Upate opencsv to take latest jar of commons-beanutils to fix CVE-2025-48734

2025-06-05T13:37:35.635000Z

Need an update for opencsv to take latest jar of commons-beanutils to fix CVE-2025-48734. This CVE is a HIGH severity issue.