CVE-2025-23184
Published: 21 January 2025
Summary
CVE-2025-23184 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Cxf. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
A potential denial of service vulnerability exists in Apache CXF versions prior to 3.5.10, 3.6.5, and 4.0.6. In certain edge cases, CachedOutputStream instances may fail to close properly; when these streams are backed by temporary files, the unclosed handles can accumulate and exhaust available filesystem space. The issue affects both CXF servers and clients and is tracked under CWE-400 with a CVSS 3.1 score of 5.9.
An unauthenticated remote attacker can trigger the flaw over the network by sending crafted requests that exercise the affected code paths. Successful exploitation requires high attack complexity but results in high availability impact through disk-space exhaustion, without affecting confidentiality or integrity.
Apache has published fixes in the referenced versions, and downstream advisories such as the NetApp security bulletin recommend upgrading CXF installations. Detection and mitigation guidance is also available from community sources that outline version checks and configuration adjustments to prevent temporary-file accumulation.
EPSS for the CVE rose from a baseline of 0.0015 to a peak of 0.0134 on 2025-12-18 before receding, indicating a measurable increase in exploitation interest after public disclosure. No confirmed in-the-wild exploitation has been reported in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0158
Vulnerability details
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file…
more
system (it applies to servers and clients).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote DoS via uncontrolled resource consumption (temp file accumulation leading to disk exhaustion) through exploitation of a software flaw in Apache CXF, directly matching Application or System Exploitation under Endpoint Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the flaw in vulnerable Apache CXF versions directly prevents CachedOutputStream instances from remaining unclosed and exhausting file system space with temporary files.
Protects file system resource availability from degradation due to excessive demand caused by unclosed temporary files in Apache CXF.
Implements denial-of-service protections to limit the effects of resource exhaustion attacks exploiting unclosed CachedOutputStream temporary files.