Apache CXF directory listing / code exfiltration
Description
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache CXF misconfiguration allows remote directory listing or code exfiltration via CXFServlet when both static-resources-list and redirect-query-check are enabled.
Vulnerability
Overview
CVE-2022-46363 is a misconfiguration vulnerability in Apache CXF, a Java-based services framework for building web services and REST APIs [1]. The flaw arises when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes enabled simultaneously—a combination that is explicitly not intended to be used together [1]. This misconfiguration allows an attacker to perform remote directory listing or code exfiltration.
Exploitation
An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the affected CXFServlet endpoint. The attack does not require authentication but does require the specific misconfiguration to be present [1]. The static-resources-list attribute enables listing of static resources, while redirect-query-check controls redirect behavior; their interaction under certain conditions exposes directory contents or allows retrieval of source code files.
Impact
Successful exploitation leads to information disclosure. An attacker can enumerate files and directories on the server, potentially revealing sensitive configuration files, source code, or other resources that could aid further attacks [1]. The severity is considered high due to the potential for code exfiltration.
Mitigation
The vulnerability is fixed in Apache CXF versions 3.5.5 and 3.4.10 [1]. Users are strongly advised to upgrade to these versions or later. As a workaround, administrators should ensure that the static-resources-list and redirect-query-check attributes are never used together in CXFServlet configuration [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-coreMaven | < 3.4.10 | 3.4.10 |
org.apache.cxf:cxf-coreMaven | >= 3.5.0, < 3.5.5 | 3.5.5 |
Affected products
2- Apache Software Foundation/Apache CXFv5Range: 3.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3w37-5p3p-jv92ghsaADVISORY
- lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8cghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-46363ghsaADVISORY
News mentions
0No linked articles in our index yet.