Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-48913

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

Published

2025-08-08T10:15:25.663

Last Modified

2025-11-04T22:16:17.657

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-20
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	cxf	< 3.6.8	Yes
Application	apache	cxf	< 4.0.9	Yes
Application	apache	cxf	< 4.1.3	Yes

References

https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83 Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2025/08/07/2 (af854a3a-2127-422b-91ae-364da2661108)