CVE-2026-42403
Apache Neethi Policy Circular Reference Denial of Service
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | neethi | to 3.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Apache Neethi where it does not properly detect circular references in WS-Policy documents. Specifically, if a policy references another policy that in turn references the first policy, this circular reference causes the policy normalization process to enter an infinite loop or excessive recursion.
As a result, this can lead to a stack overflow or cause the application to hang.
An attacker can exploit this by crafting malicious policy documents with such circular references to trigger these conditions.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a Denial of Service (DoS) condition.
When exploited, the application using Apache Neethi can hang or crash due to stack overflow caused by infinite recursion in policy processing.
This can disrupt normal service availability and potentially affect dependent systems or users relying on the affected application.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade to Apache Neethi version 3.2.2, which fixes this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a Denial of Service (DoS) condition by allowing an attacker to trigger infinite loops or stack overflows through crafted circular policy references in Apache Neethi. While it impacts availability, it does not directly affect confidentiality or integrity of data.
Since common standards and regulations like GDPR and HIPAA emphasize the protection of personal data confidentiality, integrity, and availability, this vulnerability primarily impacts the availability aspect. A successful DoS could disrupt services that handle regulated data, potentially leading to non-compliance with availability requirements.
However, there is no direct indication from the provided information that this vulnerability leads to unauthorized data access or data breaches affecting confidentiality or integrity.
Users are recommended to upgrade to version 3.2.2 to mitigate this issue and maintain compliance with availability requirements in relevant standards.