CVE-2025-23184: Apache CXF: Denial of Service vulnerability with temporary files
(updated )
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).
References
- github.com/advisories/GHSA-fh5r-crhr-qrrq
- github.com/apache/cxf
- github.com/apache/cxf/pull/2048
- github.com/apache/cxf/pull/2111
- issues.apache.org/jira/browse/CXF-7396
- lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122
- nvd.nist.gov/vuln/detail/CVE-2025-23184
- security.netapp.com/advisory/ntap-20250214-0003
Code Behaviors & Features
Detect and mitigate CVE-2025-23184 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →