CVE-2013-2160

Apache CXF 2.5.0-2.5.9, 2.6.0-2.6.6, 2.7.0-2.7.3 - Denial of Service via Crafted XML

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-2160. PoCs published by SEC Consult.

AI-analyzed exploit summary This advisory describes a denial of service vulnerability in Apache CXF due to unbounded XML parsing, allowing attackers to cause high CPU usage or memory exhaustion via maliciously crafted SOAP messages.

Description

The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.

Exploits (1)

exploitdb WRITEUP VERIFIED
by SEC Consult · textdosmultiple
https://www.exploit-db.com/exploits/26710

This advisory describes a denial of service vulnerability in Apache CXF due to unbounded XML parsing, allowing attackers to cause high CPU usage or memory exhaustion via maliciously crafted SOAP messages.

Classification
Writeup 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Apache CXF prior to 2.5.10, 2.6.7, and 2.7.4
No auth needed
Prerequisites: Network access to a vulnerable Apache CXF service
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1437.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1028.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=929197

Scores

EPSS 0.1225
EPSS Percentile 94.0%

Details

CWE
CWE-399
Status published
Products (22)
apache/cxf 2.5.0
apache/cxf 2.5.1
apache/cxf 2.5.2
apache/cxf 2.5.3
apache/cxf 2.5.4
apache/cxf 2.5.5
apache/cxf 2.5.6
apache/cxf 2.5.7
apache/cxf 2.5.8
apache/cxf 2.5.9
... and 12 more
Published Aug 19, 2013
Tracked Since Feb 18, 2026