[BUG] OpenSearch 3.1.0 image subject to CVE-2025-48924

### Describe the bug

Automated scanning by Twistlock and Anchore are detecting CVE-2025-48924 embedded in the 3.1.0 image in multiple places--it looks like mostly in included plugins.

I see:
- /usr/share/opensearch/plugins/opensearch-sql/opensearch-sql-3.1.0.0.jar
- /usr/share/opensearch/plugins/opensearch-knn/commons-lang-2.6.jar
- /usr/share/opensearch/plugins/opensearch-ml/commons-lang3-3.10.jar
- /usr/share/opensearch/plugins/opensearch-security-analytics/commons-lang3-3.14.0.jar
- /usr/share/opensearch/plugins/opensearch-anomaly-detection/commons-lang3-3.17.0.jar

### Related component

_No response_

### To Reproduce

Scan 3.1.0 image.


### Expected behavior

No known vulnerabilities.

### Additional Details

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[BUG] OpenSearch 3.1.0 image subject to CVE-2025-48924 #18760

Describe the bug

Related component

To Reproduce

Expected behavior

Additional Details

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[BUG] OpenSearch 3.1.0 image subject to CVE-2025-48924 #18760

Description

Describe the bug

Related component

To Reproduce

Expected behavior

Additional Details

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions