CVE-2025-23184
Published: 21 January 2025
Description
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).
Security Summary
CVE-2025-23184 is a potential denial-of-service vulnerability in Apache CXF versions before 3.5.10, 3.6.5, and 4.0.6. In some edge cases, CachedOutputStream instances may not be closed, and if backed by temporary files, this can fill up the file system. The issue affects both servers and clients utilizing Apache CXF.
The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network accessibility with high attack complexity, no required privileges or user interaction, and unchanged scope. Remote attackers can exploit it to achieve high availability impact by exhausting file system space through unclosed temporary files, resulting in denial of service. It is associated with CWE-400 (Uncontrolled Resource Consumption).
Advisories, including those from Apache, OSS-Security, NetApp (ntap-20250214-0003), and Vicarius, point to upgrading to Apache CXF 3.5.10, 3.6.5, or 4.0.6 as the primary mitigation. Resources detail detection and mitigation steps for the CachedOutputStream issue.
Details
- CWE(s)