The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might…
A remote attacker can execute arbitrary code on the Apache CXF server if untrusted users are allowed to configure JMS. This is due to an incomplete fix for a previous vulnerability. The attacker can gain control of the server and access sensitive data.
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Apache CXF users who allow untrusted JMS configuration are at high risk of remote code execution attacks.
Remediation Recommended
This vulnerability carries significant risk. Schedule patching in your next cycle.
What should I do?
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
3
Affected Products
1
References
apache / cxf
| apache | cxf | - | - |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability
Impact