Detections
Analytics
Apache CXF 3.5.10 / 3.6.5 / 4.0.6 / 4.1.0 DoS (CVE-2025-48795)
medium Nessus Plugin ID 242260
Synopsis
Apache CXF is affected by a denial of service vulnerability.Description
The version of Apache CXF installed on the remote host is 3.5.10, 3.6.5, 4.0.6, or 4.1.0. It is, therefore, affected by a denial of service vulnerability:- Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted. Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue. (CVE-2025-48795)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Apache CXF version 3.5.11, 3.6.6, 4.0.7, or 4.1.1 or later.See Also
Plugin Details
Severity: Medium
ID: 242260
File Name: apache_cxf_CVE-2025-48795.nasl
Version: 1.1
Type: local
Agent: windows, macosx, unix
Family: Misc.
Published: 7/17/2025
Updated: 7/17/2025
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.2
CVSS v2
Risk Factor: Medium
Base Score: 5.1
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2025-48795
CVSS v3
Risk Factor: Medium
Base Score: 5.6
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Vulnerability Information
CPE: cpe:/a:apache:cxf
Required KB Items: installed_sw/Apache CXF
Patch Publication Date: 7/15/2025
Vulnerability Publication Date: 7/15/2025
Reference Information
CVE: CVE-2025-48795
IAVB: 2025-B-0119