CVE-2025-48913
Published: 08 August 2025
Summary
CVE-2025-48913 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Cxf. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching to fixed Apache CXF versions that reject RMI and LDAP protocols in JMS configurations.
Enforces validation of JMS configuration inputs to reject improper RMI or LDAP URLs, addressing the core CWE-20 improper input validation issue.
Applies least privilege to restrict JMS configuration access to only trusted users, eliminating the precondition for untrusted parties to specify dangerous protocols.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote arbitrary code execution via improper input validation on exposed web service (JMS config allowing malicious RMI/LDAP URLs).
NVD Description
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended…
more
to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
Deeper analysisAI
CVE-2025-48913 is a critical vulnerability in Apache CXF, a framework for building web services, specifically affecting its JMS (Java Message Service) configuration interface. The issue arises when untrusted users are permitted to configure JMS, allowing them to specify RMI or LDAP URLs. These protocols could previously be leveraged to achieve arbitrary code execution on the server. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-20 (Improper Input Validation).
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges or user interaction. Exploitation requires that untrusted users or remote parties be allowed to configure JMS in the Apache CXF deployment. Successful exploitation enables arbitrary code execution, granting high-impact confidentiality, integrity, and availability compromises on the affected system.
Apache advisories recommend upgrading to fixed versions 3.6.8, 4.0.9, or 4.1.3, which restrict the JMS configuration interface to reject RMI and LDAP protocols, thereby eliminating the code execution risk. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83 and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/08/07/2.
Details
- CWE(s)