Description
Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.

Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
Published: 2026-05-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Neethi software is vulnerable to a denial‑of‑service condition caused by algorithmic complexity in policy normalization. The implementation expands policy alternatives using a Cartesian cross‑product without a defined limit, leading to unbounded memory allocation that can exhaust the JVM heap. As a result, an attacker can trigger a service crash or severe performance degradation through specially crafted WS‑Policy documents. The weakness is identified as CWE‑400 and CWE‑770, which highlight unbounded resource consumption.

Affected Systems

All installations of Apache Neethi up to the 3.2.1 release are affected. The vendor recommends upgrading to version 3.2.2 or later, where a maximum limit on normalized policy alternatives is enforced. There are no other specific vendor or product exceptions listed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity denial‑of‑service vulnerability. The EPSS score is < 1%, indicating a very low but nonzero likelihood of exploitation. The lack of a KEV listing suggests that no widespread attacks are currently reported. The most probable attack vector involves an attacker submitting a malicious WS‑Policy document to a service that uses Neethi for policy handling. If successful, the attacker can cause the process to consume all heap memory, leading to a crash or significant slowdown.

Generated by OpenCVE AI on May 14, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Neethi to version 3.2.2 or later to enforce a limit on normalized policy alternatives.
  • Configure the JVM heap size to a safe level using -Xmx to mitigate potential memory exhaustion.
  • Restrict access to components that process WS‑Policy documents to trusted networks or users to limit exposure.

Generated by OpenCVE AI on May 14, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g36m-9g3m-2vmp Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization
History

Thu, 14 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 01 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache neethi
CPEs cpe:2.3:a:apache:neethi:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache neethi

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 01 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion. Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
Title Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Apache Neethi
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-01T16:21:05.909Z

Reserved: 2026-04-27T10:27:13.637Z

Link: CVE-2026-42402

cve-icon Vulnrichment

Updated: 2026-05-01T16:21:05.909Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T09:16:16.980

Modified: 2026-05-01T18:08:59.950

Link: CVE-2026-42402

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T08:54:41Z

Links: CVE-2026-42402 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T13:30:06Z

Weaknesses