Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT
Description
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.
The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0.
Users are recommended to upgrade to version 2.10.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Commons VFS before 2.10.0 fails to properly validate encoded path traversal sequences in resolveFile with NameScope.DESCENDENT, allowing relative path traversal.
Vulnerability
Description
The resolveFile method in Apache Commons VFS's FileObject API accepts a scope parameter. When NameScope.DESCENDENT is specified, the API promises to throw an exception if the resolved file is not a descendant of the base file. However, versions before 2.10.0 fail to correctly handle URL-encoded path traversal sequences. For example, a path containing %2E%2E/bar.txt (where %2E%2E decodes to ..) bypasses the descendant check and returns a file object outside the base directory without throwing an exception [1][2].
Exploitation
Conditions
An attacker can exploit this vulnerability by supplying a crafted path to an application that uses Apache Commons VFS and calls resolveFile with NameScope.DESCENDENT. No special authentication or network position is required if the application exposes file resolution functionality to untrusted input. The attacker simply provides a path containing encoded .. sequences to traverse to parent directories [1][2].
Impact
Successful exploitation allows an attacker to read or write files outside the intended base directory, depending on how the application uses the returned FileObject. This could lead to information disclosure or unauthorized file operations. The Apache security team has rated this issue as low severity [2].
Mitigation
Users should upgrade to Apache Commons VFS version 2.10.0, which corrects the path validation logic [1][3]. No workaround is provided for earlier versions. The vulnerability was discovered by Arnout Engelen [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.commons:commons-vfs2Maven | < 2.10.0 | 2.10.0 |
Affected products
2- Range: <2.10.0
- Apache Software Foundation/Apache Commons VFSv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-9q4x-fr4m-jp86ghsaADVISORY
- lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcbghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27553ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/03/23/1ghsaWEB
- lists.debian.org/debian-lts-announce/2025/04/msg00006.htmlghsaWEB
News mentions
0No linked articles in our index yet.