Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message

Vulnerability

Overview CVE-2025-30474 is an information exposure vulnerability in Apache Commons VFS, a virtual file system library. The FtpFileObject class, when attempting to locate a file that does not exist, throws an exception whose message contains the original URI supplied by the caller [1][2]. If that URI includes embedded credentials (e.g., ftp://user:password@host/), the password is disclosed in plain text within the exception message.

Attack

Surface Exploitation does not require any special privileges beyond the ability to trigger a file-not-found condition on an FTP file system managed by Commons VFS. An attacker who can cause the library to attempt to access a non-existent file—or any operation that results in a missing file error—will receive an exception containing the unredacted URI. The vulnerability can be triggered locally by any code using the affected library, or remotely if the application exposes error details to users (e.g., through verbose error responses or logs) [2][4].

Impact

A successful information disclosure allows an unauthorized actor to capture FTP credentials (username and password) that were intended to remain secret. These credentials could then be reused to access the same FTP server or other services where the same credentials are employed. The moderate severity rating reflects the fact that the attacker must be in a position to observe exception messages, which may be limited in properly configured production environments.

Mitigation

The issue is fixed in Apache Commons VFS version 2.10.0 [1][3]. Users are strongly advised to upgrade to this release, which masks the password in exception messages by replacing the password portion of the URI with "***". No workarounds are documented; upgrading is the recommended remediation [2][4].