Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 337 maven packages depend on org.apache.neethi:neethi (13 direct, 324 indirect)
Ecosystem-wide dependent count for version 3.2.2.
DescriptionCVE.org
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
AnalysisAI
Server-Side Request Forgery (SSRF) in Apache Neethi allows remote attackers to make arbitrary outbound requests to internal IP addresses and non-HTTP/HTTPS protocols when an application explicitly calls the PolicyReference API to retrieve remote policies. The vulnerability affects all versions before 3.2.2, which restricts URI schemes to HTTP/HTTPS and blocks link-local, multicast, and any-local addresses. No active exploitation has been confirmed at this time.
Technical ContextAI
Apache Neethi is a Java library that processes WS-Policy specifications in Web Services. The PolicyReference API provides functionality to dynamically fetch policy documents from remote URIs. The vulnerability stems from insufficient validation of URI schemes and destination addresses before making outbound HTTP requests. CWE-918 (Server-Side Request Forgery) describes the root cause: the application fails to validate that user-supplied URLs reference only intended external hosts, allowing attackers to craft malicious URIs that cause the library to make requests to internal resources (RFC 1918 addresses, link-local addresses 169.254.0.0/16, multicast 224.0.0.0/4, loopback 127.0.0.0/8, or ::1/128) or invoke protocols other than HTTP/HTTPS. This occurs because the PolicyReference fetch operation does not restrict the destination of outbound connections.
RemediationAI
Upgrade Apache Neethi to version 3.2.2 or later, which restricts PolicyReference URI schemes to HTTP and HTTPS only and blocks requests to link-local (169.254.0.0/16), multicast (224.0.0.0/4), and any-local (127.0.0.0/8, ::1/128) address ranges. If immediate upgrade is not feasible, implement compensating controls: restrict outbound network access from the application to only intended external policy servers using firewall rules or network policies (e.g., deny egress to RFC 1918 ranges, 169.254.0.0/16, 224.0.0.0/4, and loopback addresses). Additionally, audit application code to identify all uses of the PolicyReference API and verify that policy URIs are not derived from untrusted user input; if possible, pre-validate and whitelist allowed policy URIs. Avoid using PolicyReference with user-controlled URIs until the patch is deployed. See Apache advisory at https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oq for details.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26491