CVE-2025-23184
Denial of Service vulnerability in org.apache.cxf:cxf-core
What is CVE-2025-23184 About?
This vulnerability in Apache CXF versions before 3.5.10, 3.6.5, and 4.0.6 can lead to a denial of service. In certain edge cases, `CachedOutputStream` instances may fail to close, potentially filling up the file system if backed by temporary files, thus making the system unavailable. This issue is moderately easy to exploit under specific usage patterns.
Affected Software
- org.apache.cxf:cxf-core
- <3.5.10
- >3.6.0, <3.6.5
- >4.0.0, <4.0.6
Technical Details
The vulnerability resides in Apache CXF's `CachedOutputStream` instances. When these instances are used (either by servers or clients) and are backed by temporary files, an edge case exists where they might not be properly closed. This oversight leads to a steady accumulation of temporary files on the file system. If this behavior persists and sufficient data is processed, the temporary files can consume all available disk space, resulting in a denial-of-service condition where the affected system can no longer write data or function correctly due to resource exhaustion.
What is the Impact of CVE-2025-23184?
Successful exploitation may allow attackers to cause a denial of service by exhausting disk space, leading to system unresponsiveness, crashes, or an inability to process legitimate requests.
What is the Exploitability of CVE-2025-23184?
Exploitation of this denial of service vulnerability requires the target system to be running an affected version of Apache CXF and for `CachedOutputStream` instances to be utilized in a manner that triggers the unclosed file handle edge case. There are no explicit authentication or privilege requirements mentioned, suggesting that any interaction with a vulnerable service that uses the `CachedOutputStream` could potentially lead to exploitation. Access can be remote if the CXF service is exposed. The complexity is moderate, as it relies on specific usage patterns of the stream caching. The primary risk factor is prolonged or high-volume usage of the vulnerable CXF components without proper resource cleanup, which could occur organically or be triggered by an attacker sending specially crafted requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-23184?
Available Upgrade Options
- org.apache.cxf:cxf-core
- <3.5.10 → Upgrade to 3.5.10
- org.apache.cxf:cxf-core
- >3.6.0, <3.6.5 → Upgrade to 3.6.5
- org.apache.cxf:cxf-core
- >4.0.0, <4.0.6 → Upgrade to 4.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/cxf/pull/2048
- https://github.com/apache/cxf
- https://nvd.nist.gov/vuln/detail/CVE-2025-23184
- https://osv.dev/vulnerability/GHSA-fh5r-crhr-qrrq
- http://www.openwall.com/lists/oss-security/2025/01/20/3
- http://www.openwall.com/lists/oss-security/2025/01/20/3
- https://issues.apache.org/jira/browse/CXF-7396
- https://lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122
- https://security.netapp.com/advisory/ntap-20250214-0003
- https://lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122
What are Similar Vulnerabilities to CVE-2025-23184?
Similar Vulnerabilities: CVE-2023-37901 , CVE-2022-40148 , CVE-2021-44228 , CVE-2020-13936 , CVE-2019-12406
