There is security finding with API GW package having vulnerable cfx-core library. 

In Gateway version 11.0, it's cxf-core-3.2.9.jar

& in Gateway version 11.1.3, it is cxf-core-3.5.11.jar

both seems vulnerable with CVE (Apache CXF < 3.6.8 / 4.x < 4.0.9 / 4.1.x < 4.1.3 RCE (CVE-2025-48913)) & suggested to use 3.6.8 as fixed version.

Is this library being used by Gateway service making it vulnerable. If so how can it be fixed? 

If not, can we remove the library safely without affecting Gateway functionality? 

Applies to All supported versions of API gateway 

Gateway is not affected by CVE-2025-48913. . Gateway does not use Apache CXF (e.g. JaxWsServerFactoryBean ) to configure/ manage JMS connections. Also, JMS connections are not publicly exposed as via unauthenticated API for attackers to configure JMS.

We are also updating the CXF library for 11.2 which will be released in Dec if the customer would like the updated library. 

Also, we do not advise to remove the library.