io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage
Description
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the /files endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jmix.localfs:jmix-localfsMaven | >= 1.0.0, < 1.6.2 | 1.6.2 |
io.jmix.localfs:jmix-localfsMaven | >= 2.0.0, < 2.4.0 | 2.4.0 |
Affected products
2- jmix-framework/jmixv5Range: >= 1.0.0, < 1.6.2
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-jx4g-3xqm-62vhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32950ghsaADVISORY
- docs.jmix.io/jmix/files-vulnerabilities.htmlghsax_refsource_MISCWEB
- docs.jmix.io/jmix/files-vulnerabilities.htmlghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2ghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6aghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37ghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aaghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/issues/3804ghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/issues/3836ghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/security/advisories/GHSA-jx4g-3xqm-62vhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.