Denial of Service Vulnerability in Apache CXF Products
CVE-2025-48795

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Cxf
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-48795?

A vulnerability in Apache CXF allows large streaming messages to be mishandled as temporary files on the local filesystem. An introduced bug results in these files being read into memory entirely and subsequently logged, potentially enabling an attacker to initiate a denial of service by triggering an out of memory exception. Additionally, although CXF can be configured to encrypt temporary files to safeguard sensitive information, this vulnerability results in unencrypted data being exposed in logs, risking unauthorized access to sensitive credentials. Users are encouraged to update to the patched versions 3.5.11, 3.6.6, 4.0.7, or 4.1.1 to mitigate this issue.

Affected Version(s)

Apache CXF 3.5.10 < 3.5.11

Apache CXF 3.6.5 < 3.6.6

Apache CXF 4.0.6 < 4.0.7

References

https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjm...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025
Vulnerability Reserved
May 26, 2025

Credit

MAUGIN Thomas https://github.com/Thom-x, Qlik