Apache CXF Vulnerability: DoS and Data Leak Risks Exposed (CVE-2025-48795)

The Apache Software Foundation has disclosed a vulnerability—CVE-2025-48795—affecting multiple versions of Apache CXF, an open-source web services framework relied upon by developers for building SOAP and REST-based applications.

The flaw is a dual threat: it creates the risk of a Denial-of-Service (DoS) attack via memory exhaustion, and it can inadvertently expose sensitive data—including credentials—in plaintext within application logs.

“Apache CXF stores large stream-based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged,” the advisory explains.

At the heart of the issue is how Apache CXF handles large message payloads—particularly those transmitted over SOAP, XML/HTTP, or REST. Normally, stream-based data would be safely stored and managed through temporary encrypted files. But due to a flawed change in recent versions, CXF:

• Reads entire temporary files into memory, risking Out-of-Memory (OOM) exceptions for very large payloads
• Logs the entire content, even if it includes unencrypted sensitive information, bypassing expected safeguards

This means a malicious actor could flood the service with large requests, causing it to crash—or worse, force the system to leak authentication credentials or session data into log files that should never contain such sensitive material.

The vulnerability affects the following versions:

• Apache CXF 3.5.10 (prior to 3.5.11)
• Apache CXF 3.6.5 (prior to 3.6.6)
• Apache CXF 4.0.6 (prior to 4.0.7)
• Apache CXF 4.1.0 (prior to 4.1.1)

Organizations using these versions—especially in financial, healthcare, and government systems—should be on high alert.

“This bug means that the cached files are written out to logs unencrypted,” the advisory warns—an especially dangerous outcome for systems that handle PII, tokens, or API keys.

The Apache Foundation urges users to immediately upgrade to the patched versions:

• 3.5.11
• 3.6.6
• 4.0.7
• 4.1.1

These updates correct the logging behavior and restore proper encrypted handling of temporary files.

Related Posts:

• Patch Now! CVE-2024-28752 – SSRF Vulnerability Impacts Apache CXF Users
• Discord’s Decisive Shift: Temporary File Links to Thwart Malware Spread
• PyPI Takes Emergency Measures to Combat Malicious Package Flood
• Microsoft Warns of High CPU Usage in Classic Outlook

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy