Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0zNnd2LXYycXAtdjRnNM4ABKKY

Moderate EPSS: 0.0006% (0.19158 Percentile) EPSS:
Permalink JSON

Apache CXF is vulnerable to DoS attacks as entire files are read into memory and logged

Affected Packages Affected Versions Fixed Versions
maven:org.apache.cxf:cxf-core >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.1, >= 3.6.0, < 3.6.6, < 3.5.11 4.0.7, 4.1.1, 3.6.6, 3.5.11
368 Dependent packages
1,719 Dependent repositories

Affected Version Ranges

All affected versions

3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0

All unaffected versions

3.5.11, 3.6.6, 3.6.7, 4.0.7, 4.0.8, 4.1.1, 4.1.2

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted.

Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.

References:

Identifiers

GHSA-36wv-v2qp-v4g4

CVE-2025-48795

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.0006

EPSS Percentile: 0.19158

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/apache/cxf

Date and time

Published

16 days ago

Updated

37 minutes ago

API

JSON