Apache CXF <3.5.11,3.6.6,4.0.7,4.1.1: OOM from Logged Temp Files
CVE-2025-48795 Published on July 15, 2025

Apache CXF: Denial of Service and sensitive data exposure in logs
Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted. Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-48795 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2025-48795 has been classified to as a Resource Exhaustion vulnerability or weakness.


Products Associated with CVE-2025-48795

stack.watch emails you whenever new vulnerabilities are published in Apache CXF or Oracle. Just hit a watch button to start following.

Apache CXF
 
Oracle
 

Affected Versions

Apache Software Foundation Apache CXF:

Exploit Probability

EPSS
0.07%
Percentile
22.11%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.