Rapid7
Back to Blog
Threat Research

Rapid7 Analysis: CVE-2022-42889

Rapid7 Labs
Rapid7 Labs
|Last updated on Jun 16, 2026|2 min read

Description and technical analysis

CVE-2022-42889 is a code execution vulnerability in Apache Commons Text that came to light on the Apache dev list on October 13, 2022. Originally discovered by Alvaro Munoz, the vulnerability exists in the StringSubstitutor interpolator object that is created by the StringSubstitutor.createInterpolator() method and will allow for string lookups as defined in the StringLookupFactory. Using the “script”, “dns”, or “url” lookups would allow an attacker to use a crafted string to execute arbitrary scripts when passed to the interpolator object.

CVE-2022-42889 carries a (probably unwarranted) CVSS score of 9.8. There are multiple public proof-of-concept exploits available, but there has been no known exploitation in the wild as of October 17, 2022. Real-world exploitability is likely to be low.

Affected products

CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10.

Since Commons Text is a library, the specific usage of the interpolator in an application will dictate the impact of this vulnerability.
As an example:

StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String pocstring = "${script:javascript:java.lang.Runtime.getRuntime().exec("echo 'pwnd'")}";
String pwn = interpolator.replace(pocstring);

This specific code fragment is unlikely to exist in production applications, but the concern is that in some applications, the pocstring variable may be attacker-controllable.
The StringSubstitutor interpolator does not seem to be in extremely wide use, and observed usage does not appear to be remotely exploitable in general.

We originally indicated that 5 JDK versions are not impacted due to the Nashorn Javascript engine being deprecated; however, other engines can be leveraged as well. An updated PoC came out that uses the JEXL engine as an exploit path. Here’s the payload:

String payload = "${script:JEXL:''.getClass().forName('java.lang.Runtime').getRuntime().exec('touch /tmp/jexlworks')}";

If JEXL is present, the code executes successfully.

Guidance

If you are directly using Commons Text, the recommended mitigation is to upgrade to v 1.10.0.
Since this is a vulnerability in a widely-used library, applications that bundle Commons Text will issue patches and mitigating those vulnerabilities will mean patching those applications individually.

LinkedInFacebookXBluesky

Article Tags

Rapid7 Labs
Rapid7 Labs
Author Posts