Apache OFBiz Security

Security Model

The Security Model describes the assumptions and guarantees the project makes with respect to security.
A detailed description of the Apache OFBiz Security Model is available at SECURITY.md.

Security Policy

The Security Policy defines the rules and procedures for reporting, handling, and disclosing security vulnerabilities.
The Apache Software Foundation (ASF) Security Policy, established by the ASF Security Team, applies to all ASF projects, including OFBiz.
For detailed information, please refer to the ASF Security Team webpage.

Reporting a Security Vulnerability

Security vulnerabilities should be reported privately to the Apache OFBiz Security Team following ASF security reporting guidelines at: security@ofbiz.apache.org.
Before submitting a report, please carefully review the OFBiz Security Model to ensure the issue falls within the project's defined security scope and assumptions.
Please submit each vulnerability report in a separate email to facilitate efficient tracking and resolution.
Please do not report security issues through public issue trackers or mailing lists.
The OFBiz Security Team will acknowledge receipt of the report and work with the reporter to investigate and address the issue.

Documentation on Configuring and Deploying a Secure Apache OFBiz Instance

The OFBiz wiki provides guidance on how to securely configure and deploy Apache OFBiz instances.
The following resources are particularly relevant:

• OFBiz Security Permissions the page and its subpages describe the OFBiz permissions system and how to use it to secure your OFBiz instance.
• Keeping OFBiz secure. the page and its subpages describe how to keep your OFBiz instance secure from known exploits and to secure your OFBiz instance from a more general perspective.

List of Known Vulnerabilities

The following is a list of known security vulnerabilities in Apache OFBiz.

• CVE-2025-61623; affected releases before 24.09.03; fixed in 24.09.03 with commits 4c624298a6, e8ad44dc36, 505c88cf45, 63dc7833e3, aa0db808a6, 664931eccc
• CVE-2025-59118; affected releases before 24.09.03; fixed in 24.09.03 with commits e1d30e8f55, cfee3063b1, fd6a3b8644
• CVE-2025-54466; affected releases before 24.09.02; fixed in 24.09.02 with commit 5a35b4f84f
• CVE-2025-30676; affected releases before 18.12.19; fixed in 18.12.19 with commits ddfe3727b1, e7b7ae0eaa, dba044c706
• CVE-2025-26865; affected OFBiz between releases 18.12.17 and 18.12.18; fixed in 18.12.18 with commits 5c725123d2, e663c6c1e9, ce62dce28a
• CVE-2024-48962; affected releases before 18.12.17; fixed in 18.12.17 with commit 761fb67d7f
• CVE-2024-47208; affected releases before 18.12.17; fixed in 18.12.17 with commit f044a7e5bf
• CVE-2024-45507; affected releases before 18.12.16; fixed in 18.12.16 with commit ffb1bc4879
• CVE-2024-45195; affected releases before 18.12.16; fixed in 18.12.16 with commits ab78769c2d, 8b95fe6fa
• CVE-2024-38856; affected releases before 18.12.15; fixed in 18.12.15 with commit 31d8d7
• CVE-2024-36104; affected releases before 18.12.14; fixed in 18.12.14 with commits d33ce31012, 474e806816
• CVE-2024-32113; affected releases before 18.12.13; fixed in 18.12.13 with commits b3b87d98dd, ff316b6e22
• CVE-2024-23946; affected releases before 18.12.12; fixed in 18.12.12 with commits b1cf4ef3e1, 93f8a58419, c910e413ba
• CVE-2024-25065; affected releases before 18.12.12; fixed in 18.12.12 with commit b91a9b7f26
• CVE-2023-51467; affected releases before 18.12.11; fixed in 18.12.11 with commits d8b097f, 1dcfa07180
• CVE-2023-50968; affected releases before 18.12.11; fixed in 18.12.11 with commit 82c1737688
• CVE-2023-49070; affected release 18.12.09; fixed in 18.12.10 with commit c59336f604
• CVE-2023-46819; affected release 18.12.08; fixed in 18.12.09 with commit 998bf510a
• CVE-2022-25371; affected release 18.12.07; fixed in 18.12.08 with commit 41ff12cf8
• CVE-2022-47501; affected releases before 18.12.07; fixed in 18.12.07 with commit 582add7d3
• CVE-2022-25813; affected releases before 18.12.06; fixed in 18.12.06 with commits 843b1c7e71, 3797e60375, b24dcff344, 871ce2aa2e, 829e1ca53, 16ed130367, 5cc45e8701
• CVE-2022-29063; affected releases before 18.12.06; fixed in 18.12.06 with commit 061252a80
• CVE-2022-29158; affected releases before 18.12.06; fixed in 18.12.06 with commit ff92c4bc9
• CVE-2022-25371; affected releases before 18.12.06; fixed in 18.12.06 by temporarily disabling Birt component waiting for https://github.com/eclipse/birt/issues/625 to be resolved
• CVE-2022-25370; affected releases before 18.12.06; fixed in 18.12.06 by temporarily disabling Birt component waiting for https://github.com/eclipse/birt/issues/625 to be resolved
• CVE-2021-45105; affected all releases before 17.12.09 and 18.12.04; fixed in 17.12.09 and 18.12.04 with commits 00896e7, c69bc8f, 4442c2a
• CVE-2021-44228; affected all releases before 17.12.09 and 18.12.03; fixed in 17.12.09 and 18.12.03 with commits 00896e7, c69bc8f, bccf140
• CVE-2021-37608; affected all releases before 17.12.08; fixed in 17.12.08 with commit 8d49af4
• CVE-2021-30128; affected all releases before 17.12.07; fixed in 17.12.07 with commits 643b9c7 a343812 62e657f fcc0078 3f97578 7fd9d05.
• CVE-2021-29200; affected all releases before 17.12.07; fixed in 17.12.07 with commit 1bc8a20.
• CVE-2021-26295; affected all releases before 17.12.07; fixed in 17.12.06 with commit af9ed4e.
• CVE-2020-9496; affected releases: 17.12.03; fixed in 17.12.04.
• CVE-2020-13923; affected all releases before 17.12.04; fixed in 17.12.04.
• CVE-2019-12425; affected releases: 17.12.01; fixed in 17.12.03 with commit 793628b.
• CVE-2019-0235; affected releases: 17.12.01; fixed in 17.12.03 with commits 82ef7a5, 62f9b45.
• CVE-2020-1943; affected releases: from 16.11.01 to 16.11.07; fixed in 17.12.01.
• CVE-2019-12426; affected releases: from 16.11.01 to 16.11.06; fixed in 16.11.07 with revision 1869887.
• CVE-2018-17200; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions 1850017, 1850019.
• CVE-2019-0189; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions specified in OFBIZ-10770, OFBIZ-10837.
• CVE-2019-10073; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revisions 1858438, 1858543, 1860595, 1860616.
• CVE-2019-10074; affected releases: from 16.11.01 to 16.11.05; fixed in 16.11.06 with revision 1858533.
• CVE-2018-8033; affected releases: from 16.11.01 to 16.11.04; fixed in 16.11.05 with revisions 1833708, 1836141.
• CVE-2011-3600; affected releases: from 16.11.01 to 16.11.04; fixed in 16.11.05 with revisions 1833724, 1833708, 1836141.
• CVE-2017-15714; affected releases: from 16.11.01 to 16.11.03; fixed in 16.11.04 with revision 1759065
• CVE-2016-6800; affected releases: 13.07.*, 12.04.*, 11.04.*; fixed in 16.11.01 with revisions 1759065 and 1759218
• CVE-2016-4462; affected releases: 13.07.*, 12.04.*, 11.04.*; fixed in 16.11.01 with revisions 1761978, 1761986 and 1761987
• CVE-2016-2170; affected releases: 13.07.02 and earlier versions (13.07.*), 12.04.05 and earlier versions (12.04.*); fixed in 13.07.03 and 12.04.06
• CVE-2015-3268; affected releases: 13.07.02 and earlier versions (13.07.*), 12.04.05 and earlier versions (12.04.*); fixed in 13.07.03 and 12.04.06
• CVE-2014-0232; affected releases: 12.04.03 and earlier versions (12.04.*), 11.04.04 and earlier versions (11.04.*); fixed in 12.04.04 and 11.04.05
• CVE-2013-2250; affected releases: 12.04.01, 11.04.02 and earlier versions (11.04.*), 10.04.05 and earlier versions (10.04.*); fixed in 12.04.02, 11.04.03 and 10.04.06
• CVE-2013-2137; affected releases: 12.04.01, 11.04.02 and earlier versions (11.04.*), 10.04.05 and earlier versions (10.04.*); fixed in 12.04.02, 11.04.03 and 10.04.06
• CVE-2013-0177; affected releases: 11.04.01, 10.04.04 and earlier versions (10.04.*); fixed in 11.04.02 and 10.04.05
• CVE-2012-3506; affected releases: 10.04.02, 10.04 (10.04.01); fixed in 10.04.03
• CVE-2012-1622; affected releases: 10.04 (10.04.01); fixed in 10.04.02
• CVE-2012-1621; affected releases: 10.04 (10.04.01); fixed in 10.04.02
• CVE-2010-0432; affected releases: 09.04; fixed in 09.04.01