Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
CVE-2022-42889
Score elevated to 9.8 because EPSS predicts 94% probability of exploitation within the next 30 days (top 0.1% of all CVEs). NVD baseline CVSS 9.8 retained for reference. Confidence: see factors.
- High exploitation likelihood — EPSS 100%
A fix is available — apply it.
- CVSS v3
- 9.8
- EG Score
- 9.8(high)
- EPSS
- 100.0%
- KEV
- Not listed
Published
October 13, 2022
Last Modified
November 21, 2024
References (18)
- security@apachehttp://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
- security@apachehttp://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
- security@apachehttp://seclists.org/fulldisclosure/2023/Feb/3
- security@apachehttp://www.openwall.com/lists/oss-security/2022/10/13/4
- security@apachehttp://www.openwall.com/lists/oss-security/2022/10/18/1
- security@apachehttps://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
- security@apachehttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
- security@apachehttps://security.gentoo.org/glsa/202301-05
- security@apachehttps://security.netapp.com/advisory/ntap-20221020-0004/
- af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
- af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
- af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2023/Feb/3
- af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2022/10/13/4
- af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2022/10/18/1
- af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
Vendor Advisories for CVE-2022-42889(13)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2025:1747Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.12 security update
- RHSA-2025:1746Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.9 on RHEL 7 security update
- RHSA-2024:0775Red Hat Product SecurityHigh
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
- RHSA-2024:0778Red Hat Product SecurityHigh
Red Hat Security Advisory: Jenkins and Jenkins-2-plugins security update
- RHSA-2024:0777Red Hat Product SecurityHigh
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
- RHSA-2024:0776Red Hat Product SecurityHigh
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
- RHSA-2023:7288Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Product OCP Tools 4.14 Openshift Jenkins security update
- RHSA-2023:6179Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat Product OCP Tools 4.13 OpenShift Jenkins security update
- +5 more
Patch Availability(20)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(2 across 1 ecosystem)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| com.guicedee.services:commons-text | 0.70.0.1 ... 1.2.2.1-jre17 (445 versions) | — | — |
| org.apache.commons:commons-text | 1.5, 1.6, 1.7, 1.8, 1.9 | 1.10.0 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(12)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2022:8652CRITICAL2022-10-13
RHSA-2022:8652 — Critical
- Red HatRHSA-2022:8876CRITICAL2022-10-13
RHSA-2022:8876 — Critical
- Red HatRHSA-2022:8902CRITICAL2022-10-13
RHSA-2022:8902 — Critical
- Red HatRHSA-2022:9023CRITICAL2022-10-13
RHSA-2022:9023 — Critical
- Red HatRHSA-2023:0261CRITICAL2022-10-13
RHSA-2023:0261 — Critical
- Red HatRHSA-2023:0469CRITICAL2022-10-13
RHSA-2023:0469 — Critical
- Red HatRHSA-2023:1524CRITICAL2022-10-13
RHSA-2023:1524 — Critical
- Red HatRHSA-2023:1655CRITICAL2022-10-13
RHSA-2023:1655 — Critical
- Red HatRHSA-2023:2135CRITICAL2022-10-13
RHSA-2023:2135 — Critical
- Red HatRHSA-2023:3195CRITICAL2022-10-13
RHSA-2023:3195 — Critical
- Red HatRHSA-2023:3299CRITICAL2022-10-13
RHSA-2023:3299 — Critical
- Red HatRHSA-2024:3527CRITICAL2022-10-13
RHSA-2024:3527 — Critical
Data Freshness Timeline
(refreshed 1× in last 7d / 3× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-05 02:28 UTCEPSS rescore
- 2026-06-28 16:32 UTCOSV refresh
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-11 06:39 UTCOSV refresh
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-25 13:53 UTCEG score recompute
- 2026-05-25 13:53 UTCVendor advisory
- 2026-05-24 00:22 UTCOSV refresh
Publicly available exploits
(10 references)Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCifconfig-me/Log4Shell-PayloadsFirst seen Jul 23, 2025
Log4Shell / Log4J Payload - CVE-2021-45046 and CVE-2022-42889
Open source ↗ - Exploit-DBEDB-52261First seen Apr 18, 2025
Apache Commons Text 1.10.0 - Remote Code Execution
Open source ↗ - GitHub PoCalealeluyah/CVE-2022-42889-Text4Shell-POCFirst seen Jun 27, 2023
This repository contains a Python script to automate the process of testing for a vulnerability known as Text4Shell, referenced under the CVE id: CVE-2022-42889.
Open source ↗ - GitHub PoCf0ng/text4shellburpscannerFirst seen Dec 9, 2022
text4shell(CVE-2022-42889) BurpSuite Scanner
Open source ↗ - GitHub PoCcryxnet/CVE-2022-42889-RCEFirst seen Nov 4, 2022
Proof of Concept for CVE-2022-42889 (Text4Shell Vulnerability)
Open source ↗ - GitHub PoCcxzero/CVE-2022-42889-text4shellFirst seen Oct 23, 2022
CVE-2022-42889 aka Text4Shell research & PoC
Open source ↗ - GitHub PoCsecurekomodo/text4shell-pocFirst seen Oct 20, 2022
Proof of Concept Appliction for testing CVE-2022-42889
Open source ↗ - GitHub PoCkljunowsky/CVE-2022-42889-text4shellFirst seen Oct 19, 2022
Apache commons text - CVE-2022-42889 Text4Shell proof of concept exploit.
Open source ↗ - GitHub PoCkarthikuj/cve-2022-42889-text4shell-dockerFirst seen Oct 18, 2022
Dockerized POC for CVE-2022-42889 Text4Shell
Open source ↗ - GitHub PoCClickCyber/cve-2022-42889First seen Oct 18, 2022
cve-2022-42889 Text4Shell CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10.
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-94
- CVE-2006-1359NVD 0.0EG 9.0EPSS 99%NONE
- CVE-2005-1921NVD 0.0EG 9.0EPSS 100%NONE
- CVE-2005-3302EG 7.3HIGH
- CVE-2005-1876EG 4.5MEDIUM
- CVE-2003-1599EG 0.0NONE
- CVE-2006-1318EG 0.0EPSS 96%NONE
- CVE-2006-1301EG 0.0EPSS 95%NONE
- CVE-2006-1308EG 0.0EPSS 95%NONE
- CVE-2006-1309EG 0.0EPSS 95%NONE
- CVE-2006-1304EG 0.0EPSS 95%NONE
Frequently asked(5)
What is CVE-2022-42889?
When was CVE-2022-42889 disclosed?
Is CVE-2022-42889 actively exploited?
What is the CVSS score of CVE-2022-42889?
How do I remediate CVE-2022-42889?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2022-42889
Is Your Infrastructure Affected by CVE-2022-42889?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.