The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-48795

CVE-2025-48795: Apache CXF Denial of Service Vulnerability

CVE-2025-48795 is a denial of service flaw in Apache CXF where temporary files are loaded into memory and logged, causing out-of-memory exceptions. This article covers technical details, affected versions, and patches.

Updated: January 22, 2026

CVE-2025-48795 Overview

Apache CXF, a widely-used open-source services framework, contains a vulnerability in how it handles large stream-based messages stored as temporary files. A bug was introduced which causes the entire temporary file to be read into memory and then logged, creating two distinct security issues: potential denial of service through memory exhaustion and information disclosure of sensitive data through unencrypted logging.

Critical Impact

Attackers can exploit this vulnerability to cause denial of service through out-of-memory exceptions, and sensitive credentials configured to be encrypted in temporary files may be written to logs in plaintext.

Affected Products

  • Apache CXF version 3.5.10
  • Apache CXF version 3.6.5
  • Apache CXF version 4.0.6
  • Apache CXF version 4.1.0

Discovery Timeline

  • 2025-07-15 - CVE-2025-48795 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2025-48795

Vulnerability Analysis

This vulnerability (CWE-400: Uncontrolled Resource Consumption) stems from improper handling of temporary files in Apache CXF's message processing pipeline. When CXF processes large stream-based messages, it stores them as temporary files on the local filesystem to manage memory efficiently. However, a bug in the implementation causes the entire contents of these temporary files to be loaded into memory during logging operations.

The dual impact of this vulnerability makes it particularly concerning for enterprise environments. First, the memory consumption issue allows attackers to craft specially sized messages that, when processed and logged, trigger Java heap exhaustion leading to application crashes. Second, organizations that have configured CXF to encrypt temporary files—specifically to protect sensitive credentials from being stored in plaintext on disk—find their security controls bypassed when the encrypted content is written to logs without encryption.

Root Cause

The root cause lies in the logging subsystem's interaction with the temporary file storage mechanism. When logging is enabled for message content, the code path reads the entire temporary file into memory rather than streaming it or logging only metadata. This violates the original design intent of using temporary files to avoid memory pressure from large messages.

Additionally, the logging function bypasses the encryption layer that may be configured for temporary file storage, directly reading and outputting the decrypted content to log files.

Attack Vector

The attack vector is network-based, requiring an attacker to send specially crafted large messages to an Apache CXF service endpoint. The attack complexity is considered high as it depends on specific logging configurations being enabled and the target environment's memory constraints.

An attacker would craft oversized stream-based messages and send them to the vulnerable CXF endpoint. When the service processes these messages and the logging subsystem attempts to log them, the entire message content is loaded into the JVM heap. By sending multiple large messages or a single extremely large message, an attacker can exhaust available memory and cause the application to crash with an OutOfMemoryError.

For information disclosure scenarios, the attacker would need knowledge that sensitive data is being transmitted through the CXF service and that temporary file encryption is configured. The decrypted content appearing in logs could then be accessed if log files are improperly secured or accessible to unauthorized parties.

Detection Methods for CVE-2025-48795

Indicators of Compromise

  • Unusual spikes in JVM heap memory usage during message processing
  • OutOfMemoryError exceptions in application logs correlated with large incoming requests
  • Unexpectedly large log files containing base64-encoded or plaintext message content
  • Application crashes or service unavailability following receipt of large SOAP/REST messages

Detection Strategies

  • Monitor JVM heap utilization metrics and alert on rapid memory consumption patterns
  • Implement log analysis rules to detect unusually large log entries that may contain full message payloads
  • Deploy application performance monitoring (APM) to track message processing latency and memory allocation
  • Audit log files for presence of sensitive credential data that should be encrypted

Monitoring Recommendations

  • Configure memory threshold alerts for Apache CXF service instances
  • Implement network-level monitoring for abnormally large incoming message payloads
  • Review log rotation policies to identify unexpected log size growth
  • Enable SentinelOne Singularity for real-time detection of resource exhaustion attacks

How to Mitigate CVE-2025-48795

Immediate Actions Required

  • Upgrade to Apache CXF version 3.5.11, 3.6.6, 4.0.7, or 4.1.1 immediately
  • Review current logging configurations and disable verbose message logging until patched
  • Implement JVM memory limits and restart policies to contain DoS impact
  • Audit existing log files for inadvertent disclosure of sensitive credentials

Patch Information

Apache has released fixed versions that address this vulnerability. Users should upgrade to the following versions based on their current deployment:

Current Version BranchFixed Version
3.5.x3.5.11
3.6.x3.6.6
4.0.x4.0.7
4.1.x4.1.1

For additional details, consult the Apache Mailing List Discussion and the Openwall OSS-Security Update.

Workarounds

  • Disable message content logging by setting appropriate CXF logging properties to prevent full message capture
  • Implement request size limits at the web server or load balancer level to reject oversized messages
  • Increase JVM heap size temporarily while preparing for upgrade (note: this reduces DoS impact but does not address information disclosure)
  • Ensure log files are stored with restrictive permissions and encrypted at rest to minimize credential exposure risk
bash
# Example: Configure CXF to disable message logging
# Add to cxf.xml or Spring configuration
# Set logging feature to not log message content
# <cxf:bus>
#   <cxf:features>
#     <bean class="org.apache.cxf.ext.logging.LoggingFeature">
#       <property name="logBinary" value="false"/>
#       <property name="logMultipart" value="false"/>
#       <property name="limit" value="1024"/>
#     </bean>
#   </cxf:features>
# </cxf:bus>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechApache Cxf
  • SeverityMEDIUM
  • CVSS Score5.6
  • EPSS Probability0.07%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-400
  • Technical References
  • Openwall OSS-Security Update
  • Vendor Resources
  • Apache Mailing List Discussion
  • Related CVEs
  • CVE-2025-23184: Apache CXF DOS Vulnerability
  • CVE-2024-32007: Apache CXF JOSE DOS Vulnerability
  • CVE-2021-30468: Apache CXF DOS Vulnerability
  • CVE-2025-48913: Apache CXF JMS RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English