Moderate severityNVD Advisory· Published Aug 8, 2025· Updated Feb 26, 2026
Apache CXF: Untrusted JMS configuration can lead to RCE
CVE-2025-48913
Description
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.
Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-rt-transports-jmsMaven | < 3.6.8 | 3.6.8 |
org.apache.cxf:cxf-rt-transports-jmsMaven | >= 4.0.0, < 4.0.9 | 4.0.9 |
org.apache.cxf:cxf-rt-transports-jmsMaven | >= 4.1.0, < 4.1.3 | 4.1.3 |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/wildflypkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-17-compatpkg:apk/chainguard/wildfly-openjdk-21pkg:apk/chainguard/wildfly-openjdk-21-compatpkg:apk/wolfi/wildflypkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-17-compatpkg:apk/wolfi/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-21-compatpkg:maven/org.apache.cxf/cxf-rt-transports-jms
< 36.0.1-r8+ 10 more
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 3.6.8
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-g4px-6qhm-hqjmghsaADVISORY
- lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-48913ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/07/2ghsaWEB
- github.com/apache/cxf/commit/24e50ffeca3132570c2f297c5c7dbd05a1bb1bfaghsaWEB
- github.com/mbhatt1/disclosures/security/advisories/GHSA-hv69-h8rg-7jg2ghsaWEB
News mentions
0No linked articles in our index yet.