CVE-2025-23184
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache CXF | 0 < 3.5.10 | affected |
| Apache Software Foundation | Apache CXF | 3.6.0 < 3.6.5 | affected |
| Apache Software Foundation | Apache CXF | 4.0.0 < 4.0.6 | affected |
Weaknesses
- CWE-400: CWE-400 Uncontrolled Resource Consumption
ADP Enrichment
CVE Program Container
Additional References
- http://www.openwall.com/lists/oss-security/2025/01/20/3
- https://security.netapp.com/advisory/ntap-20250214-0003/
- https://www.vicarius.io/vsociety/posts/cve-2025-23184-detect-apache-cxf-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-23184-mitigate-apache-cxf-vulnerability
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.