CVE-2025-32950

EPSS 0.59%
Veröffentlicht 22.04.2025 17:14:43
Zuletzt bearbeitet 31.12.2025 16:04:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 12

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Haulmont ≫ Jmix Framework Version >= 1.0.0 < 1.6.2

Haulmont ≫ Jmix Framework Version >= 2.0.0 < 2.4.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.59%	0.436

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-35 Path Traversal: '.../...//'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

https://github.com/jmix-framework/jmix/security/advisories/GHSA-jx4g-3xqm-62vh

Vendor Advisory

https://docs.jmix.io/jmix/files-vulnerabilities.html

Vendor Advisory

https://docs.jmix.io/jmix/files-vulnerabilities.html#fix-path-traversal-in-jmix-application

Vendor Advisory

https://github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2

Patch

https://github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6a

Patch

https://github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37

Patch

https://github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aa

Patch

https://github.com/jmix-framework/jmix/issues/3804

Issue Tracking

https://github.com/jmix-framework/jmix/issues/3836

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-32950

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32950

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32950

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-32950