CVE-2025-48913

CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-20 · Input validation

Published August 8, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

Key dates

Disclosure timeline

August 8, 2025 CVE published

February 26, 2026 Record updated

Identifiers

CVE CVE-2025-48913

CWE CWE-20

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.1.0 and < 4.1.3

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.0.0 and < 4.0.9

Vendor Apache Software Foundation

Product Apache CXF

Affected < 3.6.8