CVE-2025-1584
Description
A vulnerability classified as problematic was found in opensolon Solon up to 3.0.8. This vulnerability affects unknown code of the file solon-projects/solon-web/solon-web-staticfiles/src/main/java/org/noear/solon/web/staticfiles/StaticMappings.java. The manipulation leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.9 is able to address this issue. The name of the patch is f46e47fd1f8455b9467d7ead3cdb0509115b2ef1. It is recommended to upgrade the affected component.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.noear:solon-web-staticfilesMaven | < 3.0.9 | 3.0.9 |
Patches
1f46e47fd1f84修复 solon-web-staticfiles 的一个潜在安全问题
2 files changed · +23 −19
solon-projects/solon-web/solon-web-staticfiles/src/main/java/org/noear/solon/web/staticfiles/StaticMappings.java+21 −18 modified@@ -68,27 +68,30 @@ public static void remove(StaticRepository repository) { public static URL find(String path) throws Exception { URL rst = null; - for (StaticLocation m : locationMap.values()) { - if (path.startsWith(m.pathPrefix)) { - if (m.repositoryIncPrefix) { - //path = /demo/file.htm - //relativePath = demo/file.htm (没有'/'开头) - rst = m.repository.find(path.substring(1)); - } else { - //path = /demo/file.htm - //relativePath = demo/file.htm (没有'/'开头) - if (m.pathPrefixAsFile) { - //如果是文件 - int idx = m.pathPrefix.lastIndexOf("/"); - rst = m.repository.find(m.pathPrefix.substring(idx + 1)); + if (path.contains("/../") == false) { + // '/../' 不安全,禁止进入静态资料库 + for (StaticLocation m : locationMap.values()) { + if (path.startsWith(m.pathPrefix)) { + if (m.repositoryIncPrefix) { + //path = /demo/file.htm + //relativePath = demo/file.htm (没有'/'开头) + rst = m.repository.find(path.substring(1)); } else { - //如果是路段 - rst = m.repository.find(path.substring(m.pathPrefix.length())); + //path = /demo/file.htm + //relativePath = demo/file.htm (没有'/'开头) + if (m.pathPrefixAsFile) { + //如果是文件 + int idx = m.pathPrefix.lastIndexOf("/"); + rst = m.repository.find(m.pathPrefix.substring(idx + 1)); + } else { + //如果是路段 + rst = m.repository.find(path.substring(m.pathPrefix.length())); + } } - } - if (rst != null) { - return rst; + if (rst != null) { + return rst; + } } } }
UPDATE_LOG.md+2 −1 modified@@ -30,7 +30,8 @@ ### v3.0.9 * 修复 solon-docs-openapi2 @Body 注解识别失灵的问题 * 修复 solon-data nested 事务策略单独回滚失效的问题 -* 调整 solon-flow 用 layout 替代 nodes 配置(标为弃用) +* 修复 solon-web-staticfiles 的一个潜在安全问题 +* 调整 solon-flow 用 layout 替代 nodes 配置(旧的仍可用,标为弃用) ### v3.0.8 * 添加 solon-web-sse SseRender 渲染器,支持 "text/event-stream" 的任意类型处理
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-x8q6-cchr-p7m6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1584ghsaADVISORY
- github.com/opensolon/solon/commit/f46e47fd1f8455b9467d7ead3cdb0509115b2ef1nvdWEB
- github.com/opensolon/solon/issues/332nvdWEB
- github.com/opensolon/solon/issues/332nvdWEB
- github.com/opensolon/solon/issues/332nvdWEB
- vuldb.comnvdWEB
- vuldb.comnvdWEB
- vuldb.comnvdWEB
News mentions
0No linked articles in our index yet.