Moderate severityNVD Advisory· Published Apr 22, 2025· Updated May 27, 2025
io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API
CVE-2025-32951
Description
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jmix.rest:jmix-restMaven | >= 1.0.0, < 1.6.2 | 1.6.2 |
io.jmix.rest:jmix-restMaven | >= 2.0.0, < 2.4.0 | 2.4.0 |
Affected products
2- jmix-framework/jmixv5Range: >= 1.0.0, < 1.6.2
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-x27v-f838-jh93ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32951ghsaADVISORY
- docs.jmix.io/jmix/files-vulnerabilities.htmlghsax_refsource_MISCWEB
- docs.jmix.io/jmix/files-vulnerabilities.htmlghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2ghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6aghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37ghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aaghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/issues/3804ghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/issues/3836ghsax_refsource_MISCWEB
- github.com/jmix-framework/jmix/security/advisories/GHSA-x27v-f838-jh93ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.