Fix Apache Commons Collections — CVE-2015-6420 CRITICAL
Fix CVE-2015-6420 (CRITICAL) in Apache Commons Collections for Java/Maven. Paste your pom.xml into PackageFix and get a patched version — no CLI, no signup. Remote code execution via unsafe java deserialization gadget chain.
🔴 CISA KEV — Apache Commons Collections appears on the CISA Known Exploited Vulnerabilities catalog. Actively exploited in the wild. Fix immediately.
⚠ Vulnerability
CVE-2015-6420 (CRITICAL) — remote code execution via unsafe Java deserialization gadget chain in Apache Commons Collections below 4.4.
Vulnerable — pom.xml
3.2.1
Fixed — pom.xml
4.4
✓ Fix
Update Apache Commons Collections to 4.4 and run mvn dependency:resolve.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
CVE Details
| Field | Value |
|---|---|
| CVE ID | CVE-2015-6420 |
| Severity | CRITICAL |
| Package | Apache Commons Collections (Java/Maven) |
| Safe version | 4.4 |
| CISA KEV | 🔴 Yes |
| Description | Remote code execution via unsafe java deserialization gadget chain |
Frequently Asked Questions
What is CVE-2015-6420?
CVE-2015-6420 is a CRITICAL severity vulnerability in Apache Commons Collections (Java/Maven) that allows remote code execution via unsafe Java deserialization gadget chain. Update to 4.4 or later.
How do I fix CVE-2015-6420 in Apache Commons Collections?
Update Apache Commons Collections to version 4.4 in your pom.xml and run mvn dependency:resolve.
Is CVE-2015-6420 being actively exploited?
Yes — it appears on the CISA KEV catalog. Fix immediately.
How do I verify the fix for CVE-2015-6420?
After updating, paste your pom.xml into PackageFix again. If CVE-2015-6420 no longer appears in the CVE table, the fix is applied.