CVE-2022–42889 _ Text4Shell Vuln Technical Analysis

CVE-2022–42889 _ Text4Shell Vuln Technical Analysis

📅 [ Archival Date ]
Oct 19, 2022 8:06 PM
🏷️ [ Tags ]
CVE-2022–42889Text4ShellApache Commons Text
✍️ [ Author ]
Numen Cyber Labs
💣 [ PoC / Exploit ]

What exchanges and other institutions need to pay attention to


Cve ID


Apache Commons Text supports variable interpolation. The standard format is “${prefix: name}”, where “prefix” is used to locate the instance of org.apache.commons.text.lookup.StringLookup. From version 1.5 to version 1.9, the default lookup instance set is as follows: script uses JVM script execution engine javax The script executes the expression, the dns is used to parse the dns record, and the url is used to launch any http request.

If an untrusted configuration value is used, the affected application is vulnerable to remote code execution. The NVD score for this vulnerability is 9.8.

Apache Commons Text serves as the foundational component of the Java language. Its security requires that all Web3 project parties pay more attention, and pay heed to the security loopholes of various Web3 infrastructures and make patches in time to avoid potential security risks and loss of digital assets. We will continue to track various security risks on web3, and provide leading security solutions to ensure that the web3 world is safe on-chain and off-chain.

Version affected

>=1.5 <=1.9


When reading the official 1.9 documentation, I see the following


Execute the javascript script through script interpolation and get the result:


According to the vulnerability description script using the JVM script execution engine (javax.script), it can be assumed that the StringSubstitutor.replace method may execute arbitrary java code during script interpolation.

construct poc:


Analyze the entry StringSubstitutor.replace and call the substitute method to process the incoming string.


Process the ${} character, take it out and parse it, and follow the resolveVariable method


Continue to follow up the lookup method of the StringLookup object


Other interpolations are initialized in stringLookupMap, and the interpolation corresponds to different lookup instances


The current input is script, and the lookup instance corresponds to the lookup method of the ScriptStringLookup class


In this method, scriptEngine.eval is finally called to trigger the vulnerability.





In version 1.10.0 there is no longer a script when the stringLookupMap collection is initialized, and neither a suitable instance is found when lookup is null.


Use of Other Interpolation

Read any file


At this time, the lookup instance is the FileStringLookup class


The lookup method reads the file and returns




DNS probe


Can be used for non-destructive testing


HTTP request

Can use ssrf to probe ports




The exploit payload, which looks similar to log4shell, can be easily exploited by attackers, and some have started calling it “Text4Shell” or “Act4Shell”.

It is recommended that all Web3 project parties pay more attention, upgrade to Apache Commons Text 1.10.0 in time, and disable the problematic interpolator by default to avoid potential security risks and loss of digital assets.