CVE-2025-32950: io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage
First published: Tue Apr 22 2025(Updated: )
### Impact Attackers could manipulate the `FileRef` parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the `FileRef` directly in the database or by supplying a harmful value in the `fileRef` parameter of the `/files` endpoint of the generic REST API. Arbitrary file reading on the operating system where the Jmix process is running. The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. Additionally, the `/files` endpoint in Jmix requires specific permissions and is disabled by default. ### Workarounds A workaround for those who are unable to upgrade: [Fix Path Traversal in Jmix Application](https://docs.jmix.io/jmix/files-vulnerabilities.html#fix-path-traversal-in-jmix-application). ### Credit Cai, Qi Qi of Siemens China Cybersecurity Testing Center - Shadowless Lab
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.jmix.localfs:jmix-localfs | >=2.0.0<2.4.0 | 2.4.0 |
| maven/io.jmix.localfs:jmix-localfs | >=1.0.0<1.6.2 | 1.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jmix-framework/jmix/security/advisories/GHSA-jx4g-3xqm-62vh
- https://docs.jmix.io/jmix/files-vulnerabilities.html
- https://docs.jmix.io/jmix/files-vulnerabilities.html#fix-path-traversal-in-jmix-application
- https://nvd.nist.gov/vuln/detail/CVE-2025-32950
- https://github.com/advisories/GHSA-jx4g-3xqm-62vh (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-32950?
CVE-2025-32950 is classified as a high-severity vulnerability due to its potential to allow unauthorized file access.
How do I fix CVE-2025-32950?
To fix CVE-2025-32950, update the Jmix Local File System package to versions 2.4.0 or 1.6.2 or higher.
What systems are affected by CVE-2025-32950?
CVE-2025-32950 affects Jmix applications that utilize the Local File System module versions between 1.0.0 and 1.6.2 or 2.0.0 and 2.4.0.
What type of attack does CVE-2025-32950 enable?
CVE-2025-32950 enables a path traversal attack that could allow attackers to read arbitrary files on the server.
Is authentication required to exploit CVE-2025-32950?
No, CVE-2025-32950 can potentially be exploited by attackers without authentication if the application server has the necessary permissions.
- agent/weakness
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/type
- agent/description
- agent/author
- agent/severity
- collector/nvd-api
- source/NVD
- collector/epss-latest
- source/FIRST
- agent/source
- agent/epss
- collector/nvd-cve
- agent/last-modified-date
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jx4g-3xqm-62vh
- alias/CVE-2025-32950
- agent/software-canonical-lookup
- agent/tags
- agent/event
- package-manager/maven