Vulnerability Database

309,084

Total vulnerabilities in the database

CVE-2025-48913

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.

Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

Published: Aug 8, 2025
Updated: Nov 17, 2025
CVE: CVE-2025-48913
GHSA: GHSA-g4px-6qhm-hqjm
Severity: Medium
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
org.apache.cxf / cxf-rt-transports-jms	-	3.6.8
org.apache.cxf / cxf-rt-transports-jms	4.0.0	4.0.9
org.apache.cxf / cxf-rt-transports-jms	4.1.0	4.1.3
apache / cxf	-	3.6.8
apache / cxf	4.0.0	4.0.9
apache / cxf	4.1.0	4.1.3

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo