Primary

Context

Apache Neethi Denial-of-Service Vulnerability via Unbounded Resource Allocation in Policy Normalization

Vulnerability

A denial-of-service vulnerability has been identified in Apache Neethi versions prior to 3.2.2. The issue arises from algorithmic complexity in the policy normalization process, where specially crafted WS-Policy documents can cause an exponential increase in memory usage. This occurs due to an unbounded Cartesian cross-product expansion, leading to excessive policy alternatives being generated and ultimately exhausting the JVM heap. Users are advised to upgrade to version 3.2.2, which addresses this issue by limiting the maximum number of normalized policy alternatives.

Impact

Exploitation of this vulnerability leads to unbounded memory allocation, causing runtime memory exhaustion and exhausting the JVM heap.

Remediation

Users should upgrade to Apache Neethi version 3.2.2 or later.

Added: May 1, 2026, 9:20 AM

Updated: May 1, 2026, 9:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

7.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

7.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Neethi Denial-of-Service Vulnerability via Unbounded Resource Allocation in Policy Normalization

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating