Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6Blast Radius
ecosystem impact- 337 maven packages depend on org.apache.neethi:neethi (13 direct, 324 indirect)
Ecosystem-wide dependent count for version 3.2.2.
DescriptionCVE.org
Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.
Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
AnalysisAI
Algorithmic complexity denial of service in Apache Neethi allows remote unauthenticated attackers to exhaust JVM heap memory via malicious WS-Policy documents. Specially crafted policy documents trigger exponential Cartesian cross-product expansion during normalization, generating unbounded policy alternatives that consume all available memory. Apache has released version 3.2.2 with normalization limits to prevent exploitation. EPSS data not available; no CISA KEV listing identified at time of analysis.
Technical ContextAI
Apache Neethi is a WS-Policy (Web Services Policy) framework implementation used in Apache CXF and other SOAP-based web services stacks. WS-Policy uses XML-based assertions to express service requirements and capabilities, which must be normalized into alternative combinations for policy matching. The vulnerability exploits algorithmic complexity in the normalization process where nested policy alternatives can trigger Cartesian product expansion - if a policy contains N nested alternatives each with M options, normalization can generate M^N combinations. Without bounds checking, malicious policies with deeply nested or numerous alternatives cause exponential memory allocation during the conversion from compact policy representation to normalized alternative sets. This is a classic CWE-400 resource exhaustion attack targeting algorithmic complexity rather than simple input size. The affected component processes untrusted WS-Policy documents at service endpoints that use Apache Neethi for policy evaluation.
RemediationAI
Upgrade Apache Neethi to version 3.2.2 or later, which implements bounded limits on the maximum number of normalized policy alternatives generated during processing. For applications using Apache CXF or other frameworks embedding Neethi, verify dependency management configurations to pull the patched version and rebuild applications. If immediate patching is not feasible, implement compensating controls: configure web service endpoints to reject WS-Policy documents exceeding size thresholds (though size limits alone may not prevent compact policies with exponential expansion); deploy application firewalls or API gateways to validate WS-Policy document structure before reaching Neethi normalization; enable JVM heap monitoring and memory limits with automatic service restart to contain DoS impact duration; restrict WS-Policy document sources to trusted clients via authentication if possible (note: CVSS indicates PR:N but business logic may allow adding auth). Each workaround has trade-offs: size limits may block legitimate complex policies; authentication may break anonymous service access patterns; memory limits cause service interruptions during attacks. Patching to 3.2.2 is the only complete mitigation. Consult Apache advisory at https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4 for additional guidance.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26485
GHSA-g36m-9g3m-2vmp