CVE-2025-14311

Vulnerability \- Path Traversal in ZIP extraction

The JMRI application, a model railroad control software project, contains a Zip Slip vulnerability (CWE-22: Path Traversal) in the unzipFunction() within unzip_cloned.java [1]. The vulnerable code constructs destination file paths directly from ZIP entry names without validation, allowing entries like ../../../etc/passwd to escape the intended extraction directory [1].

Exploitation

An attacker can exploit this by crafting a malicious ZIP file containing entries with path traversal sequences. The vulnerability can be triggered when JMRI processes such a ZIP file, which may occur when importing custom panels, configuration files, or during remote access using built-in JMRI services [1]. No authentication is required if the application is exposed to untrusted ZIP files.

Impact

Successful exploitation permits arbitrary file write to locations outside the extraction directory. This could lead to overwriting critical application files or system files (such as user credentials or startup scripts), potentially resulting in remote code execution or privilege escalation [1].

Mitigation

The issue is fixed in JMRI version 5.13.3, which includes proper path normalization and validation: file.toPath().normalize() and startsWith(directory.toPath().normalize()) ensure the final path remains within the target directory [1]. Users should upgrade to the latest version; no workaround is provided for earlier releases.