CVE-2025-48795Uncontrolled Resource Consumption in Software Foundation Apache CXF

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling10 documents7 sources
Severity
5.6MEDIUMNVD
EPSS
0.1%
top 69.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CXFApache CXF
Timeline
PublishedJul 15
Latest updateJan 15

Description

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages2 packages

CVEListV5apache_software_foundation/apache_cxf3.5.103.5.11+3
NVDapache/cxf4 versions+3

🔴Vulnerability Details

3
GHSA
Apache CXF is vulnerable to DoS attacks as entire files are read into memory and logged2025-07-15
CVEList
Apache CXF: Denial of Service and sensitive data exposure in logs2025-07-15
OSV
Apache CXF is vulnerable to DoS attacks as entire files are read into memory and logged2025-07-15

📋Vendor Advisories

5
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Integrators (Apache CXF) — CVE-2025-487952026-01-15
Oracle
Oracle Oracle Commerce Risk Matrix: Endeca Integration (Apache CXF) — CVE-2025-487952025-10-15
Red Hat
org.apache.cxf/cxf: Apache CXF denial of service and data exposure2025-07-15
Oracle
Oracle Oracle Retail Applications Risk Matrix: Xenvironment (Apache Mina SSHD) — CVE-2023-487952025-04-15
Oracle
Oracle Oracle Database Server Risk Matrix: Database Migration Assistant for Unicode (Apache Mina SSHD) — CVE-2023-487952025-01-15