lsfusion platform ZipUtils.java unpackFile path traversal
Description
A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. This manipulation causes path traversal. It is possible to initiate the attack remotely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in lsfusion platform's ZipUtils.unpackFile allows remote attackers to overwrite or delete arbitrary files via a crafted zip archive.
CVE-2025-13265: Path Traversal in lsfusion ZipUtils
The vulnerability resides in the unpackFile method of ZipUtils.java in the lsfusion platform up to version 6.1. The method fails to validate file names or symbolic links within a ZIP archive during extraction, allowing directory traversal sequences like ../ to escape the intended target directory [1][3].
Exploitation is possible remotely via MakeUnzipFileAction or the EmailReceiver component, both of which invoke the vulnerable unpackFile method. An attacker can craft a malicious ZIP archive containing entries with path traversal patterns, leading to file extraction outside the designated folder [3].
Successful exploitation enables arbitrary file overwrite and deletion on the server. This could be leveraged to overwrite critical system files or configuration, potentially resulting in code execution or denial of service [3].
Users should upgrade to lsfusion version newer than 6.1, as the vulnerability has been addressed in subsequent releases. No official workaround has been provided, but restricting access to affected actions may reduce risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lsfusion.platform:serverMaven | <= 6.0-beta2 | — |
Affected products
2- Range: <=6.1
- lsfusion/platformv5Range: 6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-8wf8-frjg-xv74ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13265ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- github.com/lsfusion/platform/issues/1545ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.