...
This has been fixed in revision:
http://svn.apache.org/viewvc?view=revision&revision=1233457
This issue was a regression in CXF 2.4.5 and 2.5.1. The vulnerability does not
exist in CXF 2.4.4 and 2.5.0.
...
CXF 2.4.5 users should upgrade to 2.4.6 as soon as possible.
CXF 2.5.1 users should upgrade to 2.5.2 as soon as possible.
References: http://cxf.apache.org/security-advisories.html
----BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.11 (GNU/Linux)
...