2380189 – (CVE-2025-48795) CVE-2025-48795 org.apache.cxf/cxf: Apache CXF denial of service and data exposure

Bug 2380189 (CVE-2025-48795) - CVE-2025-48795 org.apache.cxf/cxf: Apache CXF denial of service and data exposure

Summary: CVE-2025-48795 org.apache.cxf/cxf: Apache CXF denial of service and data expo...

Keywords:
Status:	NEW
Alias:	CVE-2025-48795
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-15 15:01 UTC by OSIDB Bzimport
Modified:	2025-07-16 14:45 UTC (History)
CC List:	23 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-15 15:01:38 UTC

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted.

Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.

Note You need to log in before you can comment on or make changes to this bug.

asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
darran.lofthouse
dkreling
dosoudil
fjuma
istudens
ivassile
iweiss
lgao
mosmerov
msochure
msvehla
nwallace
pesilva
pjindal
pmackay
rstancel
smaestri
tom.jenkinson