CVE-2019-12406
Description
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache CXF before 3.3.4 and 3.2.11 lacks a limit on message attachments, enabling denial-of-service through crafting messages with many attachments.
Vulnerability
Description CVE-2019-12406 is a denial-of-service (DoS) vulnerability in Apache CXF, a Java framework for web services. The flaw exists in versions before 3.3.4 and 3.2.11, where the software does not restrict the number of message attachments permitted in a single message. This absence of a limit allows an attacker to exhaust server resources by sending a message with an excessively large number of attachments [1].
Exploitation
Conditions An attacker can exploit this vulnerability by crafting a malicious SOAP or REST message containing a very large number of attachments. No authentication or special network position is required, as the attack can be executed remotely over the network. The only prerequisite is that the target service accepts attachments, which is common in CXF-based applications.
Impact
Successful exploitation leads to a denial-of-service condition. The server may become unresponsive or crash due to resource exhaustion, affecting legitimate users. There is no confidentiality or integrity impact; the vulnerability solely targets availability.
Mitigation
The vulnerability is addressed in Apache CXF versions 3.3.4 and 3.2.11. These releases enforce a default limit of 50 message attachments, which can be configured via the message property "attachment-max-count". Users running older versions should upgrade immediately or apply the configuration change if possible [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxfMaven | < 3.2.11 | 3.2.11 |
org.apache.cxf:cxfMaven | >= 3.3.0, < 3.3.4 | 3.3.4 |
org.apache.cxf:apache-cxfMaven | < 3.2.11 | 3.2.11 |
org.apache.cxf:apache-cxfMaven | >= 3.3.0, < 3.3.4 | 3.3.4 |
Affected products
3- Apache/CXFdescription
- ghsa-coords2 versions
< 3.2.11+ 1 more
- (no CPE)range: < 3.2.11
- (no CPE)range: < 3.2.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
26- github.com/advisories/GHSA-58p8-9g59-q2hrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12406ghsaADVISORY
- cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.ascghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r92238967ba2783d3ab5a483f2e17f5fdaa8ace98990f69f9e8e15de0%40%3Cissues.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r92238967ba2783d3ab5a483f2e17f5fdaa8ace98990f69f9e8e15de0@%3Cissues.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rabc395b38acb7f2465bfbf0bc16d6e1e95720c89bea87abe8808eeea%40%3Cissues.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rabc395b38acb7f2465bfbf0bc16d6e1e95720c89bea87abe8808eeea@%3Cissues.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb2a6dab1f781f55326543c56dc29ea677759439ddfeba920c83037e6%40%3Cissues.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb2a6dab1f781f55326543c56dc29ea677759439ddfeba920c83037e6@%3Cissues.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rca465c9d1e1969281338522b76701c85a07abd045c494261137236e0%40%3Cissues.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rca465c9d1e1969281338522b76701c85a07abd045c494261137236e0@%3Cissues.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.