A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).
CVE-2025-23184
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).
cvssV3: HIGH, score: 7.5http://www.openwall.com/lists/oss-security/2025/01/20/3
https://lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122
Affected submodules
cxf-rt-ws-policy
cxf-rt-ws-addr
cxf-rt-transports-http
cxf-rt-frontend-simple
cxf-rt-frontend-jaxws
cxf-rt-databinding-jaxb
cxf-rt-bindings-xml
cxf-rt-bindings-soap
All of them are reported twice in our security job – version 4.0.5 in worker and version 3.6.4 in
cloveretl.initiate.engine.