CVE-2022-42889
High PUBLISHEDApache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults
Not yet in CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
- CVE Published
- Oct 13, 2022
- Exploitation Reported
- Oct 20, 2022
- CVSS
- 9.8 Critical
- EPSS
- 94.2%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Apache Software Foundation |
Apache Commons Text
|
unspecified to <= 1.9 |
Affected |
| Apache Software Foundation |
Apache Commons Text
|
1.5 to < Apache Commons Text* |
Affected |
CVE References
- GLSA-202301-05 security.gentoo.org · Vendor Advisory https://security.gentoo.org/glsa/202301-05
- [oss-security] 20221013 CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults openwall.com · Mailing List http://www.openwall.com/lists/oss-security/2022/10/13/4
- [oss-security] 20221017 Re: CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults openwall.com · Mailing List http://www.openwall.com/lists/oss-security/2022/10/18/1
- 20230214 OXAS-ADV-2022-0002: OX App Suite Security Advisory seclists.org · Mailing List http://seclists.org/fulldisclosure/2023/Feb/3
- Apache Mailing List lists.apache.org · CVE Record https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
Show 4 more references
- security.netapp.com/advisory/ntap-20221020-0004 security.netapp.com · CVE Record https://security.netapp.com/advisory/ntap-20221020-0004/
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022 psirt.global.sonicwall.com · CVE Record https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
- packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripti... packetstormsecurity.com · CVE Record http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-S...
- packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-... packetstormsecurity.com · CVE Record http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-R...
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| Wordfence First | 2022-10-20 11:40 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_commons_text4shell.rb | Apr 28, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Proof of concept available
Recorded 2022-10-17 18:50:36 UTC · GitHub
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_commons_text4shell.rb | Apr 28, 2025 |
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2023-06-27 08:29:24 UTC · 14 stars
This repository contains a Python script to automate the process of testing for a vulnerability known as Text4Shell, referenced under the CVE id: CVE-2022-42889.
github · Created 2022-11-05 07:32:51 UTC · 2 stars
CVE-2022-42889 (a.k.a. Text4Shell) RCE Proof of Concept
github · Created 2022-11-04 19:26:23 UTC · 18 stars
Proof of Concept for CVE-2022-42889 (Text4Shell Vulnerability)
github · Created 2022-10-25 13:11:24 UTC · 2 stars
github · Created 2022-10-23 13:42:23 UTC · 21 stars
CVE-2022-42889 aka Text4Shell research & PoC
github · Created 2022-10-23 08:33:02 UTC · 2 stars
Apache Text4Shell (CVE-2022-42889) Burp Bounty Profile
github · Created 2022-10-23 05:48:48 UTC · 6 stars
A simple dockerize application that shows how to exploit the CVE-2022-42889 vulnerability.
github · Created 2022-10-22 02:06:40 UTC · 3 stars
python script for CVE-2022-42889
github · Created 2022-10-21 13:48:04 UTC · 2 stars
github · Created 2022-10-19 11:49:08 UTC · 55 stars
Apache commons text - CVE-2022-42889 Text4Shell proof of concept exploit.
github · Created 2022-10-18 23:15:40 UTC · 13 stars
A simple application that shows how to exploit the CVE-2022-42889 vulnerability
github · Created 2022-10-17 18:50:36 UTC · 34 stars
Proof of Concept for the Apache commons-text vulnerability CVE-2022-42889.
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
15:02 UTC about 1 year ago15:02 UTC · about 1 year ago
Metasploit module available
Exploit module available
-
11:40 UTC over 3 years ago11:40 UTC · over 3 years ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
18:50 UTC over 3 years ago18:50 UTC · over 3 years ago
Public PoC available
Public proof-of-concept code published
-
00:00 UTC almost 4 years ago00:00 UTC · almost 4 years ago
CVE published
Vulnerability disclosed publicly
-
00:00 UTC almost 4 years ago00:00 UTC · almost 4 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2022-42889
{
"cve_id": "CVE-2022-42889",
"title": "Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted inpu...",
"affected_vendor": "Apache Software Foundation",
"affected_product": "Apache Commons Text",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "High",
"cvss_score": 9.8,
"epss_score": 0.94161,
"exploit_status": {
"exploited_in_the_wild": false,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}