CVE-2025-48795

5.6 MEDIUM
Published: July 15, 2025 Modified: November 04, 2025
View on NVD

Description

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted. Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn
Source: security@apache.org
Issue Tracking Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/15/3
Source: af854a3a-2127-422b-91ae-364da2661108

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.6 / 10.0
EPSS (Exploit Probability)
0.1%
23th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-400

Affected Vendors

apache

Related CVEs

CVE-2026-21652 N/A
CVE-2026-21651 N/A
CVE-2026-21650 N/A
CVE-2026-21649 N/A
CVE-2026-21648 N/A