CVE-2024-47554

MEDIUM

Apache Commons IO 2.0-2.13.0 - Uncontrolled Resource Consumption via XmlStreamReader

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-47554. PoCs published by PawelMurdzek.

AI-analyzed exploit summary This repository contains a functional Proof of Concept (PoC) for CVE-2024-38355, a denial-of-service (DoS) vulnerability in Socket.IO. The exploit demonstrates how a crafted Socket.IO packet can crash a vulnerable server by triggering an uncaught exception.

Description

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Exploits (1)

github WORKING POC

by PawelMurdzek · javascriptpoc

https://github.com/PawelMurdzek/CVE-2024-38355-PoC

View Code ZIP pw:eip

This repository contains a functional Proof of Concept (PoC) for CVE-2024-38355, a denial-of-service (DoS) vulnerability in Socket.IO. The exploit demonstrates how a crafted Socket.IO packet can crash a vulnerable server by triggering an uncaught exception.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Socket.IO versions < 2.5.1 and >= 3.0.0, < 4.6.2

No auth needed

Prerequisites: A vulnerable Socket.IO server without proper error handling

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/10/03/2

Third Party Advisory

https://security.netapp.com/advisory/ntap-20250131-0010/

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1

Scores

CVSS v3 4.3

EPSS 0.0125

EPSS Percentile 65.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (10)

apache/commons_io 2.0 - 2.14.0

commons-io/commons-io 2.0 - 2.14.0Maven

netapp/active_iq_unified_manager (3 CPE variants)

netapp/bluexp

netapp/e-series_santricity_unified_manager

netapp/e-series_santricity_web_services_proxy

netapp/ontap_tools 9

netapp/ontap_tools 10

netapp/santricity_storage_plugin

netapp/snapcenter

Published Oct 03, 2024

Tracked Since Feb 18, 2026