CVE-2025-48913

Summary

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.

Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache CXF4.1.0 < 4.1.3affected
Apache Software FoundationApache CXF4.0.0 < 4.0.9affected
Apache Software FoundationApache CXF0 < 3.6.8affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

CVE Program Container

Additional References

References