PT-2025-32329 · Apache · Apache Cxf

B1Oo

Published

2025-08-07

Updated

2026-06-12

CVE-2025-48913

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 3.6.8 Apache CXF versions prior to 4.0.9 Apache CXF versions prior to 4.1.3

Description If untrusted users are permitted to configure JMS (Java Message Service) for Apache CXF, they could use RMI (Remote Method Invocation) or LDAP (Lightweight Directory Access Protocol) URLs. This could potentially lead to code execution capabilities. The interface has been restricted to reject these protocols to eliminate this risk.

Recommendations Upgrade to version 3.6.8 Upgrade to version 4.0.9 Upgrade to version 4.1.3

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2025-48913

GHSA-G4PX-6QHM-HQJM

RHSA-2025:17298

RHSA-2025:17317

RHSA-2026:4915

RHSA-2026:4916

RHSA-2026:4917

RHSA-2026:6011

RHSA-2026:6012

Affected Products

Apache Cxf

PT-2025-32329 · Apache · Apache Cxf

CVE-2025-48913

Weakness Enumeration

Related Identifiers

Affected Products

References · 18