CVE-2025-48913¶
WSO2 Products impacted: no
Customer actions required: no
REPORTED VULNERABILITY¶
A vulnerability was reported in Apache CXF affecting the Java Message Service (JMS) transport classes. Exploiting this vulnerability may allow attackers to trigger unintended behavior in systems that rely on JMS as a supported transport mechanism 1.
REPORTED PRODUCTS¶
- WSO2 API Manager : 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0
- WSO2 Identity Server : 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0, 7.1.0
WSO2 JUSTIFICATION¶
The reported prodcuts do not make use of the Apache CXF component org.apache.cxf:cxf-rt-transports-jms, which is the only module affected by this vulnerability 23. Therefore, the vulnerable code path is not present or exercised in aforementioned products' runtime.
Some vulnerability scanners may incorrectly flag this issue due to the inclusion of other CXF components such as org.apache.cxf:cxf-core. However, the cxf-core library does not include the org.apache.cxf:cxf-rt-transports-jms component, which contains the vulnerable classes, and therefore is not affected by this vulnerability. According to the Snyk advisories, 3 confirms that the vulnerability affects org.apache.cxf:cxf-rt-transports-jms, whereas 4 clearly states that org.apache.cxf:cxf-core is not impacted. This further validates that the reported CVE does not apply to WSO2 API Manager. These detections are false positives resulting from indirect references to CXF dependencies.
CONCLUSION¶
- The vulnerable component,
org.apache.cxf:cxf-rt-transports-jms, is not included in aforementioned product distributions. - Hence, flagging
org.apache.cxf:cxf-coreas affected by this CVE constitutes a false positive detection.