Cyber Resilience

CVE-2025-23184

MediumDDoS

Published: 21 January 2025

Published
21 January 2025
Modified
15 December 2025
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0015 34.9th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23184 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Cxf. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

A potential denial of service vulnerability exists in Apache CXF versions prior to 3.5.10, 3.6.5, and 4.0.6. In certain edge cases, CachedOutputStream instances may fail to close properly; when these streams are backed by temporary files, the unclosed handles can accumulate and exhaust available filesystem space. The issue affects both CXF servers and clients and is tracked under CWE-400 with a CVSS 3.1 score of 5.9.

An unauthenticated remote attacker can trigger the flaw over the network by sending crafted requests that exercise the affected code paths. Successful exploitation requires high attack complexity but results in high availability impact through disk-space exhaustion, without affecting confidentiality or integrity.

Apache has published fixes in the referenced versions, and downstream advisories such as the NetApp security bulletin recommend upgrading CXF installations. Detection and mitigation guidance is also available from community sources that outline version checks and configuration adjustments to prevent temporary-file accumulation.

EPSS for the CVE rose from a baseline of 0.0015 to a peak of 0.0134 on 2025-12-18 before receding, indicating a measurable increase in exploitation interest after public disclosure. No confirmed in-the-wild exploitation has been reported in the available references.

EU & UK References

Vulnerability details

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file…

more

system (it applies to servers and clients).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remote DoS via uncontrolled resource consumption (temp file accumulation leading to disk exhaustion) through exploitation of a software flaw in Apache CXF, directly matching Application or System Exploitation under Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42403Same vendor: Apache
CVE-2025-48913Same product: Apache Cxf
CVE-2026-42402Same vendor: Apache
CVE-2026-39304Same vendor: Apache
CVE-2026-49361Same vendor: Apache
CVE-2024-45626Same vendor: Apache
CVE-2026-41284Same vendor: Apache
CVE-2026-41636Same vendor: Apache
CVE-2025-53477Same vendor: Apache
CVE-2025-48431Same vendor: Apache

Affected Assets

apache
cxf
≤ 3.5.10 · 3.6.0 — 3.6.5 · 4.0.0 — 4.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the flaw in vulnerable Apache CXF versions directly prevents CachedOutputStream instances from remaining unclosed and exhausting file system space with temporary files.

prevent

Protects file system resource availability from degradation due to excessive demand caused by unclosed temporary files in Apache CXF.

prevent

Implements denial-of-service protections to limit the effects of resource exhaustion attacks exploiting unclosed CachedOutputStream temporary files.

References