CVE-2025-48795

Severity CVSS v4.0:

Pending analysis

Type:

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

Publication date:

15/07/2025

Last modified:

04/11/2025

Description

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted.<br /> <br /> Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 5.60 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): Low

Base Score 3.x

5.60

Severity 3.x

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:apache:cxf:3.5.10:::::::*
cpe:2.3:a:apache:cxf:3.6.5:::::::*
cpe:2.3:a:apache:cxf:4.0.6:::::::*
cpe:2.3:a:apache:cxf:4.1.0:::::::*

To consult the complete list of CPE names with products and versions, see this page

CPE	From	Up to
cpe:2.3:a:apache:cxf:3.5.10:::::::*
cpe:2.3:a:apache:cxf:3.6.5:::::::*
cpe:2.3:a:apache:cxf:4.0.6:::::::*
cpe:2.3:a:apache:cxf:4.1.0:::::::*

CVE-2025-48795

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools