Malformed WS-Policy can exhaust JVM heap via Neethi normalization
TL;DR - Apache Neethi < 3.2.2: a specially crafted WS-Policy document triggers exponential Cartesian cross-product expansion during normalization, exhausting JVM heap memory and killing the process. If your service normalises attacker-influenced policy documents, this is a reliable availability kill switch.
What happened
org.apache.neethi:neethi is a Java library for representing and normalising WS-Policy documents, widely used in SOAP-based Java stacks including Apache CXF.
CVE-2026-42402 is an algorithmic complexity DoS (CWE-400). During policy normalisation, Neethi computes a Cartesian cross-product of policy alternatives. A crafted input can make that expansion exponential - small document in, unbounded memory allocation out. The JVM heap fills up and the process dies.
| Item | Detail |
|---|---|
| Affected component | org.apache.neethi:neethi |
| Affected versions | < 3.2.2 |
| Fixed version | 3.2.2 |
| Severity | CVSS 3.1 7.5 (High) |
| Impact | Availability - heap exhaustion, process termination |
This is the same failure mode you see in XML bomb and regex catastrophic backtracking bugs: a small, cheap-to-craft input forces worst-case processing cost, and your server pays for it. The fix in 3.2.2 caps the maximum number of normalised policy alternatives.
Who is impacted
- Any application that includes
org.apache.neethi:neethiand processes WS-Policy documents, particularly where policy input can cross a trust boundary. - Highest risk: internet-facing services that accept or fetch policy documents dynamically and normalise them as part of request handling.
- Check both direct dependencies and transitive ones. Application servers that bundle SOAP or WS-* stacks (including Apache CXF) may shade or bundle Neethi internally.
| Package | Affected versions | Fixed version |
|---|---|---|
org.apache.neethi:neethi | < 3.2.2 | 3.2.2 |
What to do now
"Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives."
- Upgrade
org.apache.neethi:neethito3.2.2or later. - Inventory where Neethi appears - direct dependencies, transitive pulls, shaded jars, and any application server that bundles a SOAP or WS-* stack.
- Identify every endpoint or integration where WS-Policy content can be influenced by an external caller. Prioritise patching those first.
- While rolling out the patch, add operational guardrails:
- monitor JVM heap usage and GC pressure on services that perform policy normalisation
- alert on repeated OutOfMemoryError crashes or sudden memory spikes correlated with policy-processing code paths
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.