Apache CXF: Denial of Service and sensitive data exposure in logs
Description
Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted.
Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache CXF logs entire temporary files into memory, enabling DoS and exposure of encrypted credentials.
Apache CXF stores large stream-based messages as temporary files on the local filesystem. A bug causes the entire temporary file to be read into memory and logged, potentially leading to an out-of-memory exception. Additionally, if encryption of temporary files is configured, the unencrypted content is written to logs, exposing sensitive data [1][4].
An attacker can exploit this by sending large stream-based messages, triggering the creation and logging of temporary files. The attack does not require special privileges and can be carried out remotely, as CXF processes incoming messages [1].
The impact includes denial of service through memory exhaustion and disclosure of sensitive information that should have been encrypted. This can compromise confidentiality and availability of the service [1][4].
Users are recommended to upgrade to Apache CXF versions 3.5.11, 3.6.6, 4.0.7, or 4.1.1, which fix the issue by not logging the complete stream [3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-coreMaven | < 3.5.11 | 3.5.11 |
org.apache.cxf:cxf-coreMaven | >= 3.6.0, < 3.6.6 | 3.6.6 |
org.apache.cxf:cxf-coreMaven | >= 4.0.0, < 4.0.7 | 4.0.7 |
org.apache.cxf:cxf-coreMaven | >= 4.1.0, < 4.1.1 | 4.1.1 |
Affected products
2- Apache Software Foundation/Apache CXFv5Range: 3.5.10
Patches
11c1d687f8e29fix: do not log complete stream. (#2258)
1 file changed · +1 −1
core/src/main/java/org/apache/cxf/io/DelayedCachedOutputStreamCleaner.java+1 −1 modified@@ -119,7 +119,7 @@ private void clean(Collection<DelayedCloseable> closeables) { final DelayedCloseable next = iterator.next(); try { iterator.remove(); - LOG.warning("Unclosed (leaked?) stream detected: " + next.closeable); + LOG.warning("Unclosed (leaked?) stream detected: " + next.closeable.hashCode()); next.closeable.close(); } catch (final IOException | RuntimeException ex) { LOG.warning("Unable to close (leaked?) stream: " + ex.getMessage());
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-36wv-v2qp-v4g4ghsaADVISORY
- lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmnghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-48795ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/07/15/3ghsaWEB
- github.com/apache/cxf/commit/1c1d687f8e295f433a3592a3bc0b0a63c432bfdeghsaWEB
- github.com/apache/cxf/pull/2258ghsaWEB
News mentions
0No linked articles in our index yet.