CVE-2025-23184 MEDIUM

CVE-2025-23184: Apache CXF: Denial of Service vulnerability with temporary files

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-400

Published January 21, 2025

Last update December 15, 2025

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).

Key dates

Disclosure timeline

January 21, 2025 CVE published

December 15, 2025 Record updated

Identifiers

CVE CVE-2025-23184

CWE CWE-400

CVSS 5.9 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected < 3.5.10

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 3.6.0 and < 3.6.5

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.0.0 and < 4.0.6