VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-2dvq-px7t-mqas

Essentials
Severities (41)
References (13)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-2dvq-px7t-mqas
Aliases	CVE-2025-48795 GHSA-36wv-v2qp-v4g4
Summary	Apache CXF is vulnerable to DoS attacks as entire files are read into memory and logged Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted. Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-400	Uncontrolled Resource Consumption
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	4.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48795.json
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0006	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0008	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0008	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
epss	0.0008	https://api.first.org/data/v1/epss?cve=CVE-2025-48795
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-36wv-v2qp-v4g4
cvssv3.1	5.6	https://github.com/apache/cxf
generic_textual	MODERATE	https://github.com/apache/cxf
cvssv3.1	5.6	https://github.com/apache/cxf/commit/1c1d687f8e295f433a3592a3bc0b0a63c432bfde
generic_textual	MODERATE	https://github.com/apache/cxf/commit/1c1d687f8e295f433a3592a3bc0b0a63c432bfde
cvssv3.1	5.6	https://github.com/apache/cxf/pull/2258
generic_textual	MODERATE	https://github.com/apache/cxf/pull/2258
cvssv3.1	5.6	https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn
generic_textual	MODERATE	https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn
ssvc	Track	https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn
cvssv3.1	5.6	https://nvd.nist.gov/vuln/detail/CVE-2025-48795
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-48795

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48795.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-48795
		https://github.com/apache/cxf
		https://github.com/apache/cxf/commit/1c1d687f8e295f433a3592a3bc0b0a63c432bfde
		https://github.com/apache/cxf/pull/2258
		https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn
		https://nvd.nist.gov/vuln/detail/CVE-2025-48795
2380189		https://bugzilla.redhat.com/show_bug.cgi?id=2380189
cpe:2.3:a:apache:cxf:3.5.10:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:cxf:3.5.10:::::::*
cpe:2.3:a:apache:cxf:3.6.5:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:cxf:3.6.5:::::::*
cpe:2.3:a:apache:cxf:4.0.6:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:cxf:4.0.6:::::::*
cpe:2.3:a:apache:cxf:4.1.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:cxf:4.1.0:::::::*
GHSA-36wv-v2qp-v4g4		https://github.com/advisories/GHSA-36wv-v2qp-v4g4

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48795.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/apache/cxf

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/apache/cxf/commit/1c1d687f8e295f433a3592a3bc0b0a63c432bfde

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/apache/cxf/pull/2258

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T20:44:08Z/ Found at https://lists.apache.org/thread/vo5qv02mvv5plmb6z2xf1ktjmrpv3jmn

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-48795

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.19158
EPSS Score	0.0006
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:38:55.962255+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-36wv-v2qp-v4g4/GHSA-36wv-v2qp-v4g4.json	37.0.0