📂 Vulnerable Library - telegrambots-6.5.0.jar
Easy to use library to create Telegram Bots
Path to dependency file: /telegrambots-abilities/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/telegram/telegrambots/6.5.0/telegrambots-6.5.0.jar
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-953123-750181 |
🟣 Critical |
9.8 |
N/A |
N/A |
jakarta.activation-api-1.2.2.jar |
Transitive |
N/A |
❌ |
|
| CVE-2025-52999 |
🔴 High |
8.7 |
Not Defined |
< 1% |
jackson-core-2.14.1.jar |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2025-48924 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
commons-lang3-3.12.0.jar |
Direct |
N/A |
❌ |
Reachable |
| WS-2019-0379 |
🟠 Medium |
6.5 |
N/A |
N/A |
commons-codec-1.11.jar |
Transitive |
N/A |
❌ |
 Unreachable |
Details
🟣CVE-953123-750181
Vulnerable Library - jakarta.activation-api-1.2.2.jar
Jakarta Activation API jar
Library home page: https://www.eclipse.org
Path to dependency file: /telegrambots-spring-boot-starter/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/jakarta/activation/jakarta.activation-api/1.2.2/jakarta.activation-api-1.2.2.jar
Dependency Hierarchy:
- telegrambots-6.5.0.jar (Root Library)
- jackson-jaxrs-json-provider-2.14.1.jar
- jackson-module-jaxb-annotations-2.14.1.jar
- jakarta.xml.bind-api-2.3.3.jar
- ❌ jakarta.activation-api-1.2.2.jar (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-953123-750181
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-52999
Vulnerable Library - jackson-core-2.14.1.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /telegrambots-meta/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar
Dependency Hierarchy:
-
jackson-databind-2.14.1.jar (Root Library)
- ❌ jackson-core-2.14.1.jar (Vulnerable Library)
-
telegrambots-meta-6.5.0.jar (Root Library)
- jackson-databind-2.14.1.jar
- ❌ jackson-core-2.14.1.jar (Vulnerable Library)
-
telegrambots-6.5.0.jar (Root Library)
- telegrambots-meta-6.5.0.jar
- jackson-databind-2.14.1.jar
- ❌ jackson-core-2.14.1.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.telegram.telegrambots.meta.api.objects.commands.scope.serialization.BotCommandScopeDeserializer (Application)
- com.fasterxml.jackson.databind.DeserializationContext (Extension)
- com.fasterxml.jackson.databind.json.JsonMapper (Extension)
-> ❌ com.fasterxml.jackson.core.JsonEncoding (Vulnerable Component)
Vulnerability Details
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Publish Date: Jun 25, 2025 05:02 PM
URL: CVE-2025-52999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-48924
Vulnerable Library - commons-lang3-3.12.0.jar
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
Library home page: https://www.apache.org/
Path to dependency file: /telegrambots-spring-boot-starter/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar
Dependency Hierarchy:
-
❌ commons-lang3-3.12.0.jar (Vulnerable Library)
-
telegrambots-meta-6.5.0.jar (Root Library)
- ❌ commons-lang3-3.12.0.jar (Vulnerable Library)
-
telegrambots-6.5.0.jar (Root Library)
- telegrambots-meta-6.5.0.jar
- ❌ commons-lang3-3.12.0.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.telegram.telegrambots.meta.api.methods.send.SendInvoice (Application)
- org.apache.commons.lang3.StringUtils (Extension)
-> ❌ org.apache.commons.lang3.ArrayUtils (Vulnerable Component)
Vulnerability Details
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 11, 2025 02:56 PM
URL: CVE-2025-48924
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠WS-2019-0379
Vulnerable Library - commons-codec-1.11.jar
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
Library home page: https://www.apache.org/
Path to dependency file: /telegrambots-spring-boot-starter/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: May 20, 2019 03:39 PM
URL: WS-2019-0379
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: May 20, 2019 03:39 PM
Fix Resolution : commons-codec:commons-codec:1.13
📂 Vulnerable Library - telegrambots-6.5.0.jar
Easy to use library to create Telegram Bots
Path to dependency file: /telegrambots-abilities/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/telegram/telegrambots/6.5.0/telegrambots-6.5.0.jar
Findings
Details
🟣CVE-953123-750181
Vulnerable Library - jakarta.activation-api-1.2.2.jar
Jakarta Activation API jar
Library home page: https://www.eclipse.org
Path to dependency file: /telegrambots-spring-boot-starter/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/jakarta/activation/jakarta.activation-api/1.2.2/jakarta.activation-api-1.2.2.jar
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-953123-750181
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-52999
Vulnerable Library - jackson-core-2.14.1.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /telegrambots-meta/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar
Dependency Hierarchy:
jackson-databind-2.14.1.jar (Root Library)
telegrambots-meta-6.5.0.jar (Root Library)
telegrambots-6.5.0.jar (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Publish Date: Jun 25, 2025 05:02 PM
URL: CVE-2025-52999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-48924
Vulnerable Library - commons-lang3-3.12.0.jar
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
Library home page: https://www.apache.org/
Path to dependency file: /telegrambots-spring-boot-starter/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar
Dependency Hierarchy:
❌ commons-lang3-3.12.0.jar (Vulnerable Library)
telegrambots-meta-6.5.0.jar (Root Library)
telegrambots-6.5.0.jar (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 11, 2025 02:56 PM
URL: CVE-2025-48924
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠WS-2019-0379
Vulnerable Library - commons-codec-1.11.jar
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
Library home page: https://www.apache.org/
Path to dependency file: /telegrambots-spring-boot-starter/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar
Dependency Hierarchy:
httpclient-4.5.13.jar (Root Library)
telegrambots-6.5.0.jar (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: May 20, 2019 03:39 PM
URL: WS-2019-0379
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: May 20, 2019 03:39 PM
Fix Resolution : commons-codec:commons-codec:1.13