diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 20eb4d4a33b..7e581715f39 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -27,6 +27,7 @@ Runtime Behavior Changes
 * finagle-core: Dimensional client & server metrics are prefixed with just `finagle_` instead of `rpc_finagle_client`
   and `rpc_finagle_server`, respectively. ``PHAB_ID=D1218090``
 * finagle-core: Dimensional metrics from `DefaultStatsReceiver` are no longer prefixed with `app_`. ``PHAB_ID=D1218090``
+* finagle-serversets: Update commons-lang to 3.18.0 to resolve CVE-2025-48924
 
 New Features
 ~~~~~~~~~~
diff --git a/build.sbt b/build.sbt
index 593087b68f3..9db0fd5c41a 100644
--- a/build.sbt
+++ b/build.sbt
@@ -517,7 +517,7 @@ lazy val finagleServersets = Project(
         ExclusionRule("com.sun.jmx", "jmxri"),
         ExclusionRule("javax.jms", "jms")
       ),
-      "commons-lang" % "commons-lang" % "2.6"
+      "org.apache.commons" % "commons-lang3" % "3.18.0"
     ),
     libraryDependencies ++= jacksonLibs,
     libraryDependencies ++= scroogeLibs,
diff --git a/finagle-serversets/src/main/java/com/twitter/finagle/common/base/MorePreconditions.java b/finagle-serversets/src/main/java/com/twitter/finagle/common/base/MorePreconditions.java
index d6730dc88ad..75735a170a7 100644
--- a/finagle-serversets/src/main/java/com/twitter/finagle/common/base/MorePreconditions.java
+++ b/finagle-serversets/src/main/java/com/twitter/finagle/common/base/MorePreconditions.java
@@ -18,7 +18,7 @@
 
 import java.util.Objects;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 /**
  * A utility helpful in concisely checking preconditions on arguments.
diff --git a/finagle-serversets/src/main/java/com/twitter/finagle/common/zookeeper/Group.java b/finagle-serversets/src/main/java/com/twitter/finagle/common/zookeeper/Group.java
index 99a7472d20b..299b236539c 100644
--- a/finagle-serversets/src/main/java/com/twitter/finagle/common/zookeeper/Group.java
+++ b/finagle-serversets/src/main/java/com/twitter/finagle/common/zookeeper/Group.java
@@ -30,8 +30,8 @@
 
 import javax.annotation.Nullable;
 
-import org.apache.commons.lang.ArrayUtils;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.KeeperException.NoNodeException;
diff --git a/finagle-serversets/src/main/java/com/twitter/finagle/common/zookeeper/ZooKeeperClient.java b/finagle-serversets/src/main/java/com/twitter/finagle/common/zookeeper/ZooKeeperClient.java
index d05a1febef5..a152f4396b7 100644
--- a/finagle-serversets/src/main/java/com/twitter/finagle/common/zookeeper/ZooKeeperClient.java
+++ b/finagle-serversets/src/main/java/com/twitter/finagle/common/zookeeper/ZooKeeperClient.java
@@ -36,7 +36,7 @@
 
 import javax.annotation.Nullable;
 
-import org.apache.commons.lang.builder.EqualsBuilder;
+import org.apache.commons.lang3.builder.EqualsBuilder;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.KeeperException.SessionExpiredException;
 import org.apache.zookeeper.WatchedEvent;