VYPR
Moderate severityNVD Advisory· Published Apr 22, 2025· Updated May 27, 2025

io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

CVE-2025-32950

Description

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the /files endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.jmix.localfs:jmix-localfsMaven
>= 1.0.0, < 1.6.21.6.2
io.jmix.localfs:jmix-localfsMaven
>= 2.0.0, < 2.4.02.4.0

Affected products

2

Patches

Vulnerability mechanics

References

11

News mentions

0

No linked articles in our index yet.