[Maintenance] Fix CVE-2025-48924

[RyanL1997]

Description

Fix CVE-2025-48924

The problematic dependency happens to be in a diamond dependency situation:

  ├── commons-lang3:3.18.0  <- correct version already
  └── calcite-core:1.38.0
      └── aggdesigner-algorithm:6.0
          └── commons-lang:2.4  <- reported version

Related Issues

• Resolve https://advisories.opensearch.org/advisory/CVE-2025-48924

Check List

• New functionality includes testing.
• New functionality has been documented.
• New functionality has javadoc added.
• New functionality has a user manual doc added.
• New PPL command checklist all confirmed.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff or -s.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[dai-chen]

Both common-lang3 3.18 and common-lang 2.6+ can fix the CVE right? Is current change enforcing common-lang3 which rename its root package?

[RyanL1997]

Both common-lang3 3.18 and common-lang 2.6+ can fix the CVE right? Is current change enforcing common-lang3 which rename its root package?

Hi @dai-chen ,

You're correct that there are no patched versions in the commons-lang 2.x series (the advisory shows "Patched versions: None" for commons-lang 2.0-2.6). The only fix is upgrading to commons-lang3 3.18.0+.

Yes, our dependency substitution does enforce commons-lang3 which uses the renamed org.apache.commons.lang3.* package structure, but our testing confirms this works correctly. Since there's no way to patch the old commons-lang 2.x and we can't control what aggdesigner-algorithm depends on, dependency substitution to commons-lang3 3.18.0 is the approach to resolve this.