A newly disclosed security flaw in Apache Commons Text, tracked as CVE-2025-46295, has been identified as a remote code execution (RCE) vulnerability.
That could allow attackers to compromise systems using vulnerable versions of the library. The issue impacts Apache Commons Text versions before 1.10.0, which contain unsafe interpolation features.
That may be exploited when applications process untrusted user input. Apache Commons Text is a widely used Java library for string manipulation and text substitution.
Unsafe Interpolation Features
The vulnerability stems from the library’s interpolation mechanism, which can evaluate expressions or reference external data sources dynamically.
If an application includes user-controlled data within the text-substitution API, attackers could craft malicious payloads to trigger arbitrary code execution or interact with remote resources.
According to Claris advisory details, this flaw has already been addressed by upgrading Apache Commons Text to a secure version.
| Row | Details |
|---|---|
| CVE ID | CVE-2025-46295 |
| Vulnerability Type | Remote Code Execution (RCE) |
| Description | Vulnerability in Apache Commons Text that allows execution of arbitrary code via untrusted input in text interpolation. |
| Affected Versions | Apache Commons Text versions prior to 1.10.0 |
| Impacted Product | FileMaker Server 2025 |
FileMaker Server, which incorporates this component, has confirmed that the issue has been fully mitigated in FileMaker Server 22.0.4.
The library has been updated to version 1.14.0. Users running older releases remain exposed and should prioritize applying the latest updates immediately.
The discovery of CVE-2025-46295 underscores the ongoing risks posed by transitive dependencies in modern software supply chains.
Even utilities used indirectly within large applications can introduce severe security weaknesses if not regularly maintained or updated.
Organizations depending on Java-based services should review their build environments. Dependencies to verify that vulnerable versions of Apache Commons Text are no longer in use.
Claris FileMaker acknowledged and credited an anonymous researcher for responsibly reporting the vulnerability.
The company emphasizes that keeping components up to date is critical to maintaining secure deployments, particularly for server-side environments exposed to the internet.
Security teams are urged to implement the fixed release and perform dependency scans across all projects to prevent potential exploitation of this high-severity RCE flaw.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free
