CVE-2025-40592

Vulnerability

Details

CVE-2025-40592 is a zip path traversal vulnerability in the module installation process of Mendix Studio Pro. The affected versions include all releases of Studio Pro 8 (< V8.18.35), 9 (< V9.24.35), 10 (< V10.23.0, with specific sub-versions), and 11 (< V11.0.0). The root cause lies in insufficient validation of file paths during the extraction of a module archive, allowing directory traversal sequences to escape the intended project folder during installation [1].

Exploitation

Scenario

To exploit this vulnerability, an attacker must craft a malicious module that contains file paths with traversal components (e.g., '../'). The attacker can then distribute the module through channels such as the Mendix Marketplace or other means, tricking a developer into installing it in their Studio Pro project. No additional authentication is required beyond normal user interaction with Studio Pro, but the developer must manually initiate the module installation [1].

Impact

Successful exploitation enables an attacker to write or modify arbitrary files in directories outside the developer's project directory. This could lead to arbitrary code execution, persistent compromise of the development environment, or manipulation of project files, depending on the files targeted [1].

Mitigation

Siemens has released patched versions for all affected product lines: V8.18.35, V9.24.35, V10.6.24, V10.12.17, V10.18.7, V10.23.0, and V11.0.0. As a workaround, users should avoid installing untrusted or unverified modules. Users are strongly advised to update to the latest available versions [1].