CVE-2025-48913

CRITICAL 9.8

Apache CXF: Untrusted JMS configuration can lead to RCE

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

CWE	CWE-20
Vendor	apache software foundation
Product	apache cxf
Published	Aug 8, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache cxf

Be the first to know when new critical vulnerabilities affecting apache software foundation apache cxf are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache CXF

4.1.0 < 4.1.3 4.0.0 < 4.0.9 0 < 3.6.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83 openwall.com: http://www.openwall.com/lists/oss-security/2025/08/07/2

Credits

M Bhatt (r34p3r) OWASP GenAI Security Project & Blake Gatto (b1oo) Shrewd Research