CVE-2025-23184: Apache CXF: Denial of Service vulnerability with temporary files

January 21, 2025

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).

References

github.com/advisories/GHSA-fh5r-crhr-qrrq
github.com/apache/cxf
github.com/apache/cxf/pull/2048
github.com/apache/cxf/pull/2111
issues.apache.org/jira/browse/CXF-7396
lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122
nvd.nist.gov/vuln/detail/CVE-2025-23184

Detect and mitigate CVE-2025-23184 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →