Apache Software Foundation Apache Cxf vulnerabilities

CVE-2025-48913 [CRITICAL] CWE-20 CVE-2025-48913: If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDA If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

CVE-2025-48795 [MEDIUM] CWE-400 CVE-2025-48795: Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF

CVE-2025-23184 [MEDIUM] CWE-400 CVE-2025-23184: A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6. A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).

CVE-2024-29736 [CRITICAL] CWE-918 CVE-2024-29736: A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3 A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.

CVE-2024-41172 [HIGH] CWE-401 CVE-2024-41172: In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory

CVE-2024-32007 [HIGH] CWE-20 CVE-2024-32007: An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 an An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.

CVE-2024-28752 [CRITICAL] CWE-918 CVE-2024-28752: A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3 A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

CVE-2022-46364 [CRITICAL] CWE-918 CVE-2022-46364: A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Ap A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

CVE-2022-46363 [HIGH] CWE-20 CVE-2022-46363: A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remot A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerab

CVE-2021-30468 [HIGH] CWE-400 CVE-2021-30468: A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malforme A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

CVE-2021-22696 [HIGH] CWE-400 CVE-2021-22696: CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to que CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "reques

CVE-2020-13954 [MEDIUM] CWE-79 Apache CXF Reflected XSS in the services listing page via the styleSheetPath Apache CXF Reflected XSS in the services listing page via the styleSheetPath By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects

CVE-2019-17573 [MEDIUM] CWE-79 CVE-2019-17573: By default, Apache CXF creates a /services page containing a listing of the available endpoint names By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in mod

CVE-2018-8039 [HIGH] CWE-755 CVE-2018-8039: It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProp It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the defaul

CVE-2017-12624 [MEDIUM] CVE-2017-12624: Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment header

CVE-2017-3156 [HIGH] CVE-2017-3156: The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

CVE-2016-8739 [HIGH] CWE-611 CVE-2016-8739: The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom J The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

CVE-2016-6812 [MEDIUM] CWE-79 CVE-2016-6812: The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServi The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWrit

CVE-2017-5656 [HIGH] CWE-384 CVE-2017-5656: Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associa Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

CVE-2017-5653 [MEDIUM] CWE-295 CVE-2017-5653: JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that th JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.