CVE-2025-48795
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | cxf | 4.0.6 |
| apache | cxf | 3.5.10 |
| apache | cxf | 3.6.5 |
| apache | cxf | 4.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache CXF involves a bug where large stream-based messages stored as temporary files on the local filesystem are fully read into memory and then logged. This can lead to an out of memory exception. Additionally, although CXF can be configured to encrypt these temporary files to protect sensitive credentials, the bug causes the cached files to be logged unencrypted, exposing sensitive data.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to cause a denial of service (DoS) attack by triggering an out of memory exception. Furthermore, sensitive credentials that should be encrypted in temporary files might be exposed in unencrypted logs, leading to potential data leakage.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache CXF to versions 3.5.11, 3.6.6, 4.0.7, or 4.1.1, which contain fixes for this issue. Additionally, configuring CXF to encrypt temporary files can help prevent sensitive credentials from being cached unencrypted on the local filesystem.