Apache CXF - Improper Input Validation Vulnerability

[JannisDev]

Hey there,

I've identified an open vulnerability in the image:

• Description: If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
• Solution: Update to the latest version of the library. Vendor has provided fix in versions 3.6.8, 4.0.9, 4.1.3.
• Findings: /usr/share/mc-image-helper-1.48.11/lib/cxf-core-3.5.11.jar
• References: Apache, CVE-2025-48913

Please consider updating the affected library in the next release.

[itzg]

Thanks but you're referencing an old release, so this is not valid

https://github.com/itzg/mc-image-helper/releases/tag/1.50.2

Since you didn't provide the image tag you tried, be aware deprecated image tags

https://docker-minecraft-server.readthedocs.io/en/latest/versions/java/#deprecated-image-tags

[JannisDev]

Hi,

you're right — the finding was originally reported on an older release, but it’s still present in the latest version. The Apache CXF library version hasn’t changed:
/usr/share/mc-image-helper-1.50.2/lib/cxf-core-3.5.11.jar

I’m using the latest tag and pulled the image yesterday.