oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-48795: Apache CXF: Denial of Service and sensitive data exposure in logs

From: Colm O hEigeartaigh <coheigea () apache org>
Date: Tue, 15 Jul 2025 15:01:28 +0100
Severity: moderate

Affected versions:

- Apache CXF 3.5.10 before 3.5.11
- Apache CXF 3.6.5 before 3.6.6
- Apache CXF 4.0.6 before 4.0.7
- Apache CXF 4.1.0 before 4.1.1

Description:

Apache CXF stores large stream based messages as temporary files on
the local filesystem. A bug was introduced which means that the entire
temporary file is read into memory and then logged. An attacker might
be able to exploit this to cause a denial of service attack by causing
an out of memory exception. In addition, it is possible to configure
CXF to encrypt temporary files to prevent sensitive credentials from
being cached unencrypted on the local filesystem, however this bug
means that the cached files are written out to logs unencrypted.

Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or
4.1.1, which fixes this issue.

Credit:

MAUGIN Thomas https://github.com/Thom-x, Qlik (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-48795
Previous By Date Next
Previous By Thread Next

Current thread: