Recent changes to support-requests

#130 Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

Laurent T. — Mon, 23 Feb 2026 15:29:06 -0000

On my end, the reason I didn't question this is I wasn't expecting spring-boot to not be using the latest version. They decided not the backport the change to the 3.5 branch

if you're curious: https://github.com/spring-projects/spring-boot/issues/46437

Also IntelliJ's dependency analyser doesn't tell me that the version is coming from spring-boot pining that version.

Anyway thanks, problem solved ;)

#130 Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

Scott Conway — Mon, 23 Feb 2026 15:21:42 -0000

No worries - I cannot count the number of times I have been personally burned by overriding transitive dependencies and so I am not surprised when I get a couple of these tickets every year. I was just surprised that I had two this close together.

Scott :)

#130 Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

Laurent T. — Mon, 23 Feb 2026 13:51:23 -0000

Hi Scott.

Indeed, I don't know how I missed that. Seems I'm having the same issue described in that other ticket.

Sorry for the dup. I'll be more careful in the future.

#130 Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

Scott Conway — Mon, 23 Feb 2026 13:06:56 -0000

Hello Laurent.

Make sure you are using version 5.12.0 as that is using 3.18.0. If you are using 5.12.0 then look at https://sourceforge.net/p/opencsv/feature-requests/175/ for possible solution.

The snapshot version does use 3.20.0 but it is just dependency updates thus far so there has not been a reason to update. Here again if you want to force 3.20.0 then look at the above feature request for the solution.

Hope that helps.

Scott Conway :)

Transitive dependency commons-lang3 vulnerable to CVE-2025-48924 — please upgrade to 3.20.0

Laurent Thoulon — Mon, 23 Feb 2026 09:49:00 -0000

Hi, just a heads-up that the transitive dependency org.apache.commons:commons-lang3 pulled in by opencsv is currently pinned to version 3.17.0, which is affected by CVE-2025-48924 (CVSS 5.3).

The vulnerability involves uncontrolled recursion in ClassUtils.getClass(...), which can throw a StackOverflowError on very long inputs and potentially cause the application to stop. The fix was introduced in version 3.18.0.

Would it be possible to upgrade this dependency to 3.20.0 (current latest)? Thanks for maintaining opencsv!

Reference: https://www.mend.io/vulnerability-database/CVE-2025-48924

Add column name or index information in CsvException

eltonsandre — Mon, 17 Nov 2025 19:09:08 -0000

CsvDataTypeMismatchException exceptions do not have the index or column name. Could you add support for getting the column name or index information in the exception?

#127 commons-beanutils update to 1.10.1

Scott Conway — Sun, 03 Aug 2025 17:11:26 -0000

status: open --> closed

#128 Upate opencsv to take latest jar of commons-beanutils to fix CVE-2025-48734

Silviu Burcea — Wed, 11 Jun 2025 14:32:26 -0000

commons-beanutils2 would also fix sonatype-2024-3350 as this is coming transitively from commons-collections 3.x

#127 commons-beanutils update to 1.10.1

Silviu Burcea — Wed, 11 Jun 2025 14:29:50 -0000

A better move would be to consider commons-beanutils2, as commons-beanutils 1.x contains commons-collections 3.x, which has sonatype-2024-3350

Upate opencsv to take latest jar of commons-beanutils to fix CVE-2025-48734

Kavita Torvi — Thu, 05 Jun 2025 13:37:35 -0000

Need an update for opencsv to take latest jar of commons-beanutils to fix CVE-2025-48734. This CVE is a HIGH severity issue.