CVE-2025-23184
Published: 21 January 2025
Summary
CVE-2025-23184 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Cxf. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the flaw in vulnerable Apache CXF versions directly prevents CachedOutputStream instances from remaining unclosed and exhausting file system space with temporary files.
Protects file system resource availability from degradation due to excessive demand caused by unclosed temporary files in Apache CXF.
Implements denial-of-service protections to limit the effects of resource exhaustion attacks exploiting unclosed CachedOutputStream temporary files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote DoS via uncontrolled resource consumption (temp file accumulation leading to disk exhaustion) through exploitation of a software flaw in Apache CXF, directly matching Application or System Exploitation under Endpoint Denial of Service.
NVD Description
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file…
more
system (it applies to servers and clients).
Deeper analysisAI
CVE-2025-23184 is a potential denial-of-service vulnerability in Apache CXF versions before 3.5.10, 3.6.5, and 4.0.6. In some edge cases, CachedOutputStream instances may not be closed, and if backed by temporary files, this can fill up the file system. The issue affects both servers and clients utilizing Apache CXF.
The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network accessibility with high attack complexity, no required privileges or user interaction, and unchanged scope. Remote attackers can exploit it to achieve high availability impact by exhausting file system space through unclosed temporary files, resulting in denial of service. It is associated with CWE-400 (Uncontrolled Resource Consumption).
Advisories, including those from Apache, OSS-Security, NetApp (ntap-20250214-0003), and Vicarius, point to upgrading to Apache CXF 3.5.10, 3.6.5, or 4.0.6 as the primary mitigation. Resources detail detection and mitigation steps for the CachedOutputStream issue.
Details
- CWE(s)