AIKIDO-2025-10848
slack-incoming-webhook-plugin is vulnerable to Dependency on Vulnerable Third-Party Component
20
Low Risk
This Affects:
slack-incoming-webhook-pluginTL;DR
Affected versions of this package import the vulnerable commons-lang package (CVE-2025-48924), which is vulnerable to Uncontrolled Recursion when processing long or deeply nested inputs. The patch replaces the vulnerable package with commons-lang3 version 3.18.0.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
slack-incoming-webhook-plugin is vulnerable to Dependency on Vulnerable Third-Party Component in versions 0.0.1 - 1.3.6.
How to fix this
Upgrade the org.rundeck.plugins:slack-incoming-webhook-plugin library to a patch version.
Links
Other
lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1openwall.com/lists/oss-security/2025/07/11/1lists.debian.org/debian-lts-announce/2025/08/msg00000.htmllists.debian.org/debian-lts-announce/2025/08/msg00026.htmllists.debian.org/debian-lts-announce/2025/09/msg00032.htmllists.debian.org/debian-lts-announce/2025/09/msg00036.html
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant