Skip to main content

Apache Neethi CVE-2026-42403

| EUVDEUVD-2026-26486 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-01 apache GHSA-2hfh-9h53-qc24
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
May 01, 2026 - 18:08 nvd
Patch available
Patch available
May 01, 2026 - 10:01 EUVD
Analysis Generated
May 01, 2026 - 09:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 09:15 euvd
EUVD-2026-26486
Analysis Generated
May 01, 2026 - 09:15 vuln.today
CVE Published
May 01, 2026 - 08:38 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 337 maven packages depend on org.apache.neethi:neethi (13 direct, 324 indirect)

Ecosystem-wide dependent count for version 3.2.2.

DescriptionCVE.org

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

AnalysisAI

Denial of Service in Apache Neethi WS-Policy processor allows remote unauthenticated attackers to crash applications or cause resource exhaustion by sending crafted policy documents with circular references. The vulnerability (CVSS 7.5) triggers infinite loops or stack overflow during policy normalization when Policy A references Policy B which references Policy A. Apache released version 3.2.2 to address this flaw. With network vector, low complexity, and no authentication required (AV:N/AC:L/PR:N), this represents a readily exploitable attack surface for applications parsing untrusted WS-Policy documents, though no public exploit or active exploitation (KEV) has been identified at time of analysis.

Technical ContextAI

Apache Neethi is a WS-Policy (Web Services Policy) framework implementation used in Apache CXF and other web services stacks to define service behaviors, requirements, and capabilities. WS-Policy documents use XML-based policy assertions that can reference other policies via wsp:PolicyReference elements. The vulnerability stems from insufficient cycle detection in the policy normalization algorithm (CWE-400: Uncontrolled Resource Consumption). When processing policy references, Neethi fails to track visited policy nodes, allowing circular reference chains to cause unbounded recursion during the policy merge and normalization phases. This differs from XML entity expansion attacks-the issue is in graph traversal logic specific to policy reference resolution, not XML parsing itself. The affected component processes policy documents from WSDL definitions, WS-SecurityPolicy attachments, and runtime policy configurations.

RemediationAI

Upgrade Apache Neethi to version 3.2.2 or later, which implements proper circular reference detection in the policy normalization process. For Apache CXF users, upgrade to the latest CXF version that bundles Neethi 3.2.2-consult Apache CXF release notes to identify compatible versions. Verify the upgraded version using dependency management tools (Maven dependency:tree, Gradle dependencies, or similar). If immediate patching is not feasible, implement the following compensating controls with their trade-offs: Restrict WS-Policy document sources to trusted internal origins only (breaks scenarios requiring third-party WSDL/policy consumption). Deploy input validation to reject policy documents exceeding size or depth thresholds-set maximum policy reference depth to 5 levels and document size to 100KB (may break legitimate complex policies but prevents resource exhaustion). Configure application server thread timeouts and stack size limits to contain DoS impact (does not prevent the vulnerability but limits blast radius to individual threads). Enable request rate limiting on web service endpoints processing policy documents (reduces attack effectiveness but does not eliminate the vulnerability). Note that workarounds provide defense-in-depth only-upgrading to 3.2.2 is the definitive fix. See Apache advisory at https://lists.apache.org/thread/zm6t8skkkskjwk1881l4m4n0l7dqclzo for detailed upgrade instructions.

Vendor StatusVendor

Share

CVE-2026-42403 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy