Critical Published: Aug 08, 2025 Modified: Nov 04, 2025

CVE-2025-48913

9.8 CVSS Score

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.

Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

CVSS Vector Details

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Affected Software Configurations

a apache cxf * * * * * * * *

Weaknesses (CWE)

CWE-20
NVD-CWE-noinfo

References & External Links

https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83
http://www.openwall.com/lists/oss-security/2025/08/07/2

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

← Back to CVE Tracker