CVE-2024-41172

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory

Published: Jul 19, 2024
Updated: May 4, 2025
CVE: CVE-2024-41172
GHSA: GHSA-4mgg-fqfq-64hg
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-401

Affected Software
References

Software	From	Fixed in
org.apache.cxf / cxf-rt-transports-http	4.0.0	4.0.5
org.apache.cxf / cxf-rt-transports-http	3.6.0	3.6.4
apache / cxf	4.0.0	4.0.5
apache / cxf	3.6.0	3.6.4

http://www.openwall.com/lists/oss-security/2024/07/18/4
https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6
https://security.netapp.com/advisory/ntap-20240808-0008/

Vulnerability Database

289,599

CVE-2024-41172