OAuth 2 authorization service vulnerable to DDos attacks
Description
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache CXF OAuth2 JwtRequestCodeFilter fails to validate the request_uri parameter, enabling DDoS attacks against the authorization server.
Vulnerability
Overview
Apache CXF's JwtRequestCodeFilter supports the OAuth 2.0 JWT Secured Authorization Request (JAR) specification, which allows passing authorization parameters via a JWT token or a URI from which to retrieve the token (request_uri). The filter only verified that the request_uri uses HTTPS but did not perform any further validation, such as checking that the URI points to a legitimate resource or that the request is not malicious. This oversight allowed an attacker to supply arbitrary HTTPS URIs, causing CXF to make REST requests to those URIs to fetch a JWT token [1][3].
Exploitation and
Attack Surface
An attacker can exploit this by sending an OAuth authorization request with a crafted request_uri parameter pointing to a target server (e.g., an internal service or a high-volume endpoint). CXF will then initiate an HTTP GET request to that URI, effectively using the authorization server as a reflector. No authentication is required to trigger the behavior, and the attacker can control the target URI, making it possible to amplify traffic or target internal resources [3]. The vulnerability is described in section 10.4.1 of the OAuth 2.0 JAR specification, which warns against such DDoS vectors [1].
Impact
A successful attack can lead to a denial-of-service condition on the authorization server or any other system reachable by the CXF instance. By sending many such requests, an attacker can exhaust network bandwidth, CPU, or memory resources, potentially disrupting legitimate OAuth flows. The vulnerability does not directly lead to data disclosure or privilege escalation, but it can severely impact availability [1][3].
Mitigation
Apache CXF versions 3.4.3 and 3.3.10 include a fix that validates the request_uri parameter more strictly. The commit [4] ensures that both request and request_uri cannot be specified simultaneously and adds logging for invalid combinations. Users should upgrade to these patched versions or apply the workaround of disabling the JwtRequestCodeFilter if not needed [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxfMaven | >= 3.4.0, < 3.4.3 | 3.4.3 |
org.apache.cxf:cxfMaven | < 3.3.10 | 3.3.10 |
org.apache.cxf:apache-cxfMaven | >= 3.4.0, < 3.4.3 | 3.4.3 |
org.apache.cxf:apache-cxfMaven | < 3.3.10 | 3.3.10 |
Affected products
3- ghsa-coords2 versions
>= 3.4.0, < 3.4.3+ 1 more
- (no CPE)range: >= 3.4.0, < 3.4.3
- (no CPE)range: >= 3.4.0, < 3.4.3
- Apache Software Foundation/Apache CXFv5Range: unspecified
Patches
2aa789c5c4686Make sure both a request + request_uri can't be specified
1 file changed · +11 −1
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java+11 −1 modified@@ -21,9 +21,11 @@ import java.security.cert.X509Certificate; import java.util.List; import java.util.Map; +import java.util.logging.Logger; import javax.ws.rs.core.MultivaluedMap; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.jaxrs.client.WebClient; import org.apache.cxf.jaxrs.impl.MetadataMap; @@ -42,23 +44,31 @@ import org.apache.cxf.rt.security.crypto.CryptoUtils; public class JwtRequestCodeFilter extends OAuthJoseJwtConsumer implements AuthorizationRequestFilter { + protected static final Logger LOG = LogUtils.getL7dLogger(JwtRequestCodeFilter.class); private static final String REQUEST_URI_CONTENT_TYPE = "application/oauth-authz-req+jwt"; private static final String REQUEST_PARAM = "request"; private static final String REQUEST_URI_PARAM = "request_uri"; + private boolean verifyWithClientCertificates; private String issuer; private JsonMapObjectReaderWriter jsonHandler = new JsonMapObjectReaderWriter(); + @Override public MultivaluedMap<String, String> process(MultivaluedMap<String, String> params, UserSubject endUser, Client client) { String requestToken = params.getFirst(REQUEST_PARAM); + String requestUri = params.getFirst(REQUEST_URI_PARAM); + if (requestToken == null) { - String requestUri = params.getFirst(REQUEST_URI_PARAM); if (isRequestUriValid(client, requestUri)) { requestToken = WebClient.create(requestUri).accept(REQUEST_URI_CONTENT_TYPE).get(String.class); } + } else if (requestUri != null) { + LOG.warning("It is not valid to specify both a request and request_uri value"); + throw new SecurityException(); } + if (requestToken != null) { JweDecryptionProvider theDecryptor = super.getInitializedDecryptionProvider(client.getClientSecret()); JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(client);
40503a539147Disallow OAuth2 request_uri by default
1 file changed · +13 −4
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java+13 −4 modified@@ -42,6 +42,7 @@ import org.apache.cxf.rt.security.crypto.CryptoUtils; public class JwtRequestCodeFilter extends OAuthJoseJwtConsumer implements AuthorizationRequestFilter { + private static final String REQUEST_URI_CONTENT_TYPE = "application/oauth-authz-req+jwt"; private static final String REQUEST_PARAM = "request"; private static final String REQUEST_URI_PARAM = "request_uri"; private boolean verifyWithClientCertificates; @@ -55,7 +56,7 @@ public MultivaluedMap<String, String> process(MultivaluedMap<String, String> par if (requestToken == null) { String requestUri = params.getFirst(REQUEST_URI_PARAM); if (isRequestUriValid(client, requestUri)) { - requestToken = WebClient.create(requestUri).get(String.class); + requestToken = WebClient.create(requestUri).accept(REQUEST_URI_CONTENT_TYPE).get(String.class); } } if (requestToken != null) { @@ -101,9 +102,17 @@ public MultivaluedMap<String, String> process(MultivaluedMap<String, String> par } return params; } - private boolean isRequestUriValid(Client client, String requestUri) { - //TODO: consider restricting to specific hosts - return requestUri != null && requestUri.startsWith("https://"); + + /** + * This method must be overridden to support request_uri. Take care to validate the request_uri properly, + * as otherwise it could lead to a security problem + * (https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-10.4) + * @param client the Client object + * @param requestUri the request_uri parameter to validate + * @return whether the requestUri is permitted or not + */ + protected boolean isRequestUriValid(Client client, String requestUri) { + return false; } protected JwsSignatureVerifier getInitializedSigVerifier(Client c) { if (verifyWithClientCertificates) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- github.com/advisories/GHSA-7q4h-pj78-j7vgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22696ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/04/02/2ghsamailing-listx_refsource_MLISTWEB
- cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.ascghsax_refsource_MISCWEB
- github.com/apache/cxf/commit/40503a53914758759894f704bbf139ae89ace286ghsaWEB
- github.com/apache/cxf/commit/aa789c5c4686597a7bdef2443909ab491fc2bc04ghsaWEB
- lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914%40%3Cdev.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914%40%3Cusers.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914@%3Cdev.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914@%3Cusers.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.