In order for your code to be vulnerable you need to:
22
+
* Be running a version of Apache `commons-text` from version `1.5.0` up to (and not including) `1.10.0`
23
+
* Using Interpolation for your StringSubstituion (see [https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html](https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html))
24
+
19
25
The fix for this is to update your instances of `commons-text` to versions `1.10.0` or later.