Critical severity9.8NVD Advisory· Published Aug 8, 2025· Updated Jun 17, 2026
CVE-2025-48913
CVE-2025-48913
Description
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.
Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-rt-transports-jmsMaven | < 3.6.8 | 3.6.8 |
org.apache.cxf:cxf-rt-transports-jmsMaven | >= 4.0.0, < 4.0.9 | 4.0.9 |
org.apache.cxf:cxf-rt-transports-jmsMaven | >= 4.1.0, < 4.1.3 | 4.1.3 |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/wildflypkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-17-compatpkg:apk/chainguard/wildfly-openjdk-21pkg:apk/chainguard/wildfly-openjdk-21-compatpkg:apk/wolfi/wildflypkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-17-compatpkg:apk/wolfi/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-21-compatpkg:maven/org.apache.cxf/cxf-rt-transports-jms
< 36.0.1-r8+ 10 more
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 3.6.8
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-g4px-6qhm-hqjmghsaADVISORY
- lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83nvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-48913ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/07/2nvdWEB
- github.com/apache/cxf/commit/24e50ffeca3132570c2f297c5c7dbd05a1bb1bfaghsaWEB
- github.com/mbhatt1/disclosures/security/advisories/GHSA-hv69-h8rg-7jg2ghsaWEB
News mentions
0No linked articles in our index yet.