Apache CXF: Denial of Service vulnerability with temporary files
Description
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in Apache CXF where unclosed CachedOutputStream instances can fill the file system with temporary files.
Vulnerability
Description In Apache CXF versions prior to 3.5.10, 3.6.5, and 4.0.6, the CachedOutputStream class may fail to close its underlying temporary files in certain edge cases. The root cause lies in the maybeDeleteTempFile method, which does not always remove streams from its internal list correctly, especially under high concurrency [3].
Exploitation
An attacker can exploit this by sending a large number of requests that trigger the caching mechanism, causing temporary files to accumulate on the server or client file system. No special authentication is required if the service is accessible; the vulnerability applies to both server and client contexts [1].
Impact
Over time, the accumulation of temporary files can exhaust disk space, leading to a denial of service (DoS) condition. This affects the availability of the system but does not expose data or allow code execution [1].
Mitigation
The vulnerability is fixed in Apache CXF versions 3.5.10, 3.6.5, and 4.0.6. The fix refactors the cleaner implementation and adds guardrails to ensure temporary files are properly deleted [4]. Users should upgrade to these versions or later.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-coreMaven | < 3.5.10 | 3.5.10 |
org.apache.cxf:cxf-coreMaven | >= 3.6.0, < 3.6.5 | 3.6.5 |
org.apache.cxf:cxf-coreMaven | >= 4.0.0, < 4.0.6 | 4.0.6 |
Affected products
12- osv-coords10 versionspkg:apk/chainguard/apache-tika-2.9pkg:apk/chainguard/apache-tika-2.9-compatpkg:apk/chainguard/apache-tika-3.0pkg:apk/chainguard/apache-tika-3.0-compatpkg:apk/chainguard/wso2ispkg:apk/chainguard/wso2is-compatpkg:apk/chainguard/wso2is-docpkg:apk/wolfi/apache-tika-3.0pkg:apk/wolfi/apache-tika-3.0-compatpkg:maven/org.apache.cxf/cxf-core
< 2.9.2-r5+ 9 more
- (no CPE)range: < 2.9.2-r5
- (no CPE)range: < 2.9.2-r5
- (no CPE)range: < 3.0.0-r9
- (no CPE)range: < 3.0.0-r9
- (no CPE)range: < 7.1.0-r1
- (no CPE)range: < 7.1.0-r1
- (no CPE)range: < 7.1.0-r1
- (no CPE)range: < 3.0.0-r9
- (no CPE)range: < 3.0.0-r9
- (no CPE)range: < 3.5.10
- Apache Software Foundation/Apache CXFv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-fh5r-crhr-qrrqghsaADVISORY
- lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-23184ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/01/20/3ghsaWEB
- github.com/apache/cxf/pull/2048ghsaWEB
- github.com/apache/cxf/pull/2111ghsaWEB
- issues.apache.org/jira/browse/CXF-7396ghsaWEB
- security.netapp.com/advisory/ntap-20250214-0003ghsaWEB
- www.vicarius.io/vsociety/posts/cve-2025-23184-detect-apache-cxf-vulnerabilityghsaWEB
- www.vicarius.io/vsociety/posts/cve-2025-23184-mitigate-apache-cxf-vulnerabilityghsaWEB
News mentions
0No linked articles in our index yet.