CVE-2025-48913
BaseFortify
Publication date: 2025-08-08
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | cxf | to 3.6.8 (exc) |
| apache | cxf | From 4.0.0 (inc) to 4.0.9 (exc) |
| apache | cxf | From 4.1.0 (inc) to 4.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when untrusted users are allowed to configure JMS for Apache CXF using RMI or LDAP URLs, which could lead to remote code execution. The issue has been fixed by restricting the interface to reject these protocols.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow attackers to execute arbitrary code remotely on the affected system, potentially compromising system integrity and security.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade to Apache CXF versions 3.6.8, 4.0.9, or 4.1.3, which fix this issue by restricting JMS configuration to reject RMI or LDAP URLs, preventing potential code execution.