Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6Blast Radius
ecosystem impact- 337 maven packages depend on org.apache.neethi:neethi (13 direct, 324 indirect)
Ecosystem-wide dependent count for version 3.2.2.
DescriptionCVE.org
Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
AnalysisAI
Denial of Service in Apache Neethi WS-Policy processor allows remote unauthenticated attackers to crash applications or cause resource exhaustion by sending crafted policy documents with circular references. The vulnerability (CVSS 7.5) triggers infinite loops or stack overflow during policy normalization when Policy A references Policy B which references Policy A. Apache released version 3.2.2 to address this flaw. With network vector, low complexity, and no authentication required (AV:N/AC:L/PR:N), this represents a readily exploitable attack surface for applications parsing untrusted WS-Policy documents, though no public exploit or active exploitation (KEV) has been identified at time of analysis.
Technical ContextAI
Apache Neethi is a WS-Policy (Web Services Policy) framework implementation used in Apache CXF and other web services stacks to define service behaviors, requirements, and capabilities. WS-Policy documents use XML-based policy assertions that can reference other policies via wsp:PolicyReference elements. The vulnerability stems from insufficient cycle detection in the policy normalization algorithm (CWE-400: Uncontrolled Resource Consumption). When processing policy references, Neethi fails to track visited policy nodes, allowing circular reference chains to cause unbounded recursion during the policy merge and normalization phases. This differs from XML entity expansion attacks-the issue is in graph traversal logic specific to policy reference resolution, not XML parsing itself. The affected component processes policy documents from WSDL definitions, WS-SecurityPolicy attachments, and runtime policy configurations.
RemediationAI
Upgrade Apache Neethi to version 3.2.2 or later, which implements proper circular reference detection in the policy normalization process. For Apache CXF users, upgrade to the latest CXF version that bundles Neethi 3.2.2-consult Apache CXF release notes to identify compatible versions. Verify the upgraded version using dependency management tools (Maven dependency:tree, Gradle dependencies, or similar). If immediate patching is not feasible, implement the following compensating controls with their trade-offs: Restrict WS-Policy document sources to trusted internal origins only (breaks scenarios requiring third-party WSDL/policy consumption). Deploy input validation to reject policy documents exceeding size or depth thresholds-set maximum policy reference depth to 5 levels and document size to 100KB (may break legitimate complex policies but prevents resource exhaustion). Configure application server thread timeouts and stack size limits to contain DoS impact (does not prevent the vulnerability but limits blast radius to individual threads). Enable request rate limiting on web service endpoints processing policy documents (reduces attack effectiveness but does not eliminate the vulnerability). Note that workarounds provide defense-in-depth only-upgrading to 3.2.2 is the definitive fix. See Apache advisory at https://lists.apache.org/thread/zm6t8skkkskjwk1881l4m4n0l7dqclzo for detailed upgrade instructions.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26486
GHSA-2hfh-9h53-qc24