The vulnerability resides in Apache CXF’s JwsJsonContainerRequestFilter, which incorrectly trusts metadata from the first signature entry without validating it. This flaw breaks the assumption that accepted Content-Type or protected HTTP-header metadata is guaranteed to come from a verified signature. As a result, an attacker can craft a Web Services JSON request that includes untrusted metadata, potentially steering downstream JAX‑RS entity parsing or signed‑header consistency checks. The impact can include unauthorized request handling, data leakage, or compromised integrity of the application’s request processing pipeline.

The flaw affects Apache CXF, a web services framework from the Apache Software Foundation. All versions prior to 4.2.2 and 4.1.7 are vulnerable. Users should upgrade to at least these versions to remediate the issue.

The CVSS score is 6.5, but the nature of the flaw suggests high potential for exploitation, especially in exposed web services environments. The EPSS score is 0.00015, indicating a very low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Inferred attack vectors involve remote attackers sending crafted WS‑JSON requests to vulnerable services; the flaw does not require local access or privileged credentials. Given the bypass of critical signature verification, the risk to confidentiality, integrity, and availability of the affected application is significant. Monitoring for abnormal signature entries and applying the vendor’s patch are essential to mitigate this threat.