CVE-2025-23184

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).

Published: Jan 21, 2025
Updated: Jun 30, 2025
CVE: CVE-2025-23184
GHSA: GHSA-fh5r-crhr-qrrq
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
org.apache.cxf / cxf-core	-	3.5.10
org.apache.cxf / cxf-core	3.6.0	3.6.5
org.apache.cxf / cxf-core	4.0.0	4.0.6
apache / cxf	4.0.0	4.0.6
apache / cxf	3.6.0	3.6.5
apache / cxf	-	3.5.10

http://www.openwall.com/lists/oss-security/2025/01/20/3
https://github.com/apache/cxf/pull/2048
https://github.com/apache/cxf/pull/2111
https://issues.apache.org/jira/browse/CXF-7396
https://lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122
https://security.netapp.com/advisory/ntap-20250214-0003
https://security.netapp.com/advisory/ntap-20250214-0003/

Vulnerability Database

289,599

CVE-2025-23184