Skip to main content

Apache Neethi CVE-2026-42402

| EUVDEUVD-2026-26485 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-01 apache GHSA-g36m-9g3m-2vmp
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
May 01, 2026 - 18:08 nvd
Patch available
Patch available
May 01, 2026 - 10:01 EUVD
Analysis Generated
May 01, 2026 - 09:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 09:15 euvd
EUVD-2026-26485
Analysis Generated
May 01, 2026 - 09:15 vuln.today
CVE Published
May 01, 2026 - 08:54 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 337 maven packages depend on org.apache.neethi:neethi (13 direct, 324 indirect)

Ecosystem-wide dependent count for version 3.2.2.

DescriptionCVE.org

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.

Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.

AnalysisAI

Algorithmic complexity denial of service in Apache Neethi allows remote unauthenticated attackers to exhaust JVM heap memory via malicious WS-Policy documents. Specially crafted policy documents trigger exponential Cartesian cross-product expansion during normalization, generating unbounded policy alternatives that consume all available memory. Apache has released version 3.2.2 with normalization limits to prevent exploitation. EPSS data not available; no CISA KEV listing identified at time of analysis.

Technical ContextAI

Apache Neethi is a WS-Policy (Web Services Policy) framework implementation used in Apache CXF and other SOAP-based web services stacks. WS-Policy uses XML-based assertions to express service requirements and capabilities, which must be normalized into alternative combinations for policy matching. The vulnerability exploits algorithmic complexity in the normalization process where nested policy alternatives can trigger Cartesian product expansion - if a policy contains N nested alternatives each with M options, normalization can generate M^N combinations. Without bounds checking, malicious policies with deeply nested or numerous alternatives cause exponential memory allocation during the conversion from compact policy representation to normalized alternative sets. This is a classic CWE-400 resource exhaustion attack targeting algorithmic complexity rather than simple input size. The affected component processes untrusted WS-Policy documents at service endpoints that use Apache Neethi for policy evaluation.

RemediationAI

Upgrade Apache Neethi to version 3.2.2 or later, which implements bounded limits on the maximum number of normalized policy alternatives generated during processing. For applications using Apache CXF or other frameworks embedding Neethi, verify dependency management configurations to pull the patched version and rebuild applications. If immediate patching is not feasible, implement compensating controls: configure web service endpoints to reject WS-Policy documents exceeding size thresholds (though size limits alone may not prevent compact policies with exponential expansion); deploy application firewalls or API gateways to validate WS-Policy document structure before reaching Neethi normalization; enable JVM heap monitoring and memory limits with automatic service restart to contain DoS impact duration; restrict WS-Policy document sources to trusted clients via authentication if possible (note: CVSS indicates PR:N but business logic may allow adding auth). Each workaround has trade-offs: size limits may block legitimate complex policies; authentication may break anonymous service access patterns; memory limits cause service interruptions during attacks. Patching to 3.2.2 is the only complete mitigation. Consult Apache advisory at https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4 for additional guidance.

Vendor StatusVendor

Share

CVE-2026-42402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy