VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 8, 2025· Updated Feb 26, 2026

Apache CXF: Untrusted JMS configuration can lead to RCE

CVE-2025-48913

Description

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.

Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache CXF allowed untrusted JMS configuration using RMI or LDAP URLs, enabling potential code execution; patches restrict these protocols.

Root

Cause

CVE-2025-48913 affects Apache CXF, an open-source services framework. The vulnerability arises in the JndiHelper class, used when configuring Java Message Service (JMS) connections. If an untrusted user can supply JNDI environment properties, they could set the provider URL to an ldap:// or rmi:// scheme [1][3]. This allowed the application to connect to attacker-controlled LDAP or RMI servers, which can return serialized Java objects that, when deserialized, lead to remote code execution.

Attack

Vector

The attack requires that untrusted users are permitted to configure JMS endpoints. In many deployments, this configuration is exposed via administrative interfaces or application properties files. By providing a malicious provider URL, an attacker can trigger a JNDI lookup that retrieves a remote object from an attacker-controlled server, resulting in arbitrary code execution on the CXF server [3]. No authentication is bypassed if the configuration interface is already accessible to the attacker.

Impact

Successful exploitation can lead to full remote code execution with the privileges of the CXF application. This is rated as moderate severity; however, the impact could be critical in environments where such configuration interfaces are exposed to untrusted users. The vulnerability has been assigned CVSS 4.0 score by the Apache project, though NVD has not yet provided a vector [1].

Mitigation

The fix introduces a validation check in JndiHelper that rejects provider URLs starting with ldap:// or rmi://, throwing an IllegalArgumentException [4]. Users are recommended to upgrade to Apache CXF versions 3.6.8, 4.0.9, or 4.1.3 [1][3]. No workarounds are available beyond upgrading or restricting access to JMS configuration interfaces.

References
  1. NVD - CVE-2025-48913
  2. security - CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE
  3. Forbid LDAP/RMI from JndiHelper (#2414) · apache/cxf@24e50ff

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.cxf:cxf-rt-transports-jmsMaven
< 3.6.83.6.8
org.apache.cxf:cxf-rt-transports-jmsMaven
>= 4.0.0, < 4.0.94.0.9
org.apache.cxf:cxf-rt-transports-jmsMaven
>= 4.1.0, < 4.1.34.1.3

Affected products

2
  • Apache/Cxfllm-fuzzy
    Range: <3.6.8 || (>=4.0.0 <4.0.9) || (>=4.1.0 <4.1.3)
  • Apache Software Foundation/Apache CXFv5
    Range: 4.1.0

Patches

1
24e50ffeca31

Forbid LDAP/RMI from JndiHelper (#2414)

https://github.com/apache/cxfColm O hEigeartaighMay 20, 2025via ghsa
commit
2 files changed · +30 0
  • rt/transports/jms/src/main/java/org/apache/cxf/transport/jms/util/JndiHelper.java+7 0 modified
    @@ -34,6 +34,13 @@ public class JndiHelper {
      */
     public JndiHelper(Properties environment) {
         this.environment = environment;
+
+        // Avoid unsafe protocols if they are somehow misconfigured
+        String providerUrl = environment.getProperty(Context.PROVIDER_URL);
+        if (providerUrl != null && (providerUrl.startsWith("ldap://")
+                || providerUrl.startsWith("rmi://"))) {
+            throw new IllegalArgumentException("Unsafe protocol in JNDI URL: " + providerUrl);
+        }
     }
 
     @SuppressWarnings("unchecked")
  • rt/transports/jms/src/test/java/org/apache/cxf/transport/jms/JMSConfigFactoryTest.java+23 0 modified
    @@ -19,6 +19,9 @@
 
 package org.apache.cxf.transport.jms;
 
+import java.util.Properties;
+
+import javax.naming.Context;
 import javax.naming.NamingException;
 import javax.transaction.xa.XAException;
 
@@ -35,6 +38,26 @@
 
 public class JMSConfigFactoryTest extends AbstractJMSTester {
 
+    @Test
+    public void testJndiForbiddenProtocol() throws Exception {
+        Properties env = new Properties();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:12345");
+        // Allow following referrals (important for LDAP injection)
+        env.put(Context.REFERRAL, "follow");
+        
+        JMSConfiguration jmsConfig = new JMSConfiguration();
+        jmsConfig.setJndiEnvironment(env);
+        jmsConfig.setConnectionFactoryName("objectName");
+        
+        try {
+            jmsConfig.getConnectionFactory();
+            Assert.fail("JNDI lookup should have failed");
+        } catch (Exception e) {
+            Assert.assertTrue(e.getMessage().contains("Unsafe protocol in JNDI URL"));
+        }
+    }
+
     @Test
     public void testUsernameAndPassword() throws Exception {
         EndpointInfo ei = setupServiceInfo("HelloWorldService", "HelloWorldPort");

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.