CVE-2025-32952: io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage
First published: Tue Apr 22 2025(Updated: )
### Impact The local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. Additionally, the /files endpoint in Jmix requires specific permissions and is disabled by default. ### Patches The problem has been fixed in Jmix 1.6.2+ and 2.4.0+. ### Workarounds A workaround for those who are unable to upgrade: [Disable Files Endpoint in Jmix Application](https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-jmix-application).
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.jmix.localfs:jmix-localfs | >=2.0.0<2.4.0 | 2.4.0 |
| maven/io.jmix.localfs:jmix-localfs | >=1.0.0<1.6.2 | 1.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jmix-framework/jmix/security/advisories/GHSA-f3gv-cwwh-758m
- https://docs.jmix.io/jmix/files-vulnerabilities.html
- https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-jmix-application
- https://nvd.nist.gov/vuln/detail/CVE-2025-32952
- https://github.com/advisories/GHSA-f3gv-cwwh-758m (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-32952?
CVE-2025-32952 has been classified as a denial of service vulnerability due to unrestricted file upload size.
How do I fix CVE-2025-32952?
To fix CVE-2025-32952, upgrade to version 2.4.0 or later of io.jmix.localfs for versions 2.0.0 and above, or to version 1.6.2 for versions 1.0.0 to 1.6.2.
What could be the result of an attack exploiting CVE-2025-32952?
An attacker exploiting CVE-2025-32952 could potentially fill the server's storage space, leading to an HTTP 500 error and denials of service.
Which versions of io.jmix.localfs are affected by CVE-2025-32952?
CVE-2025-32952 affects io.jmix.localfs versions 1.0.0 through 1.6.2 and 2.0.0 through 2.4.0.
Is there a workaround for CVE-2025-32952 if I cannot upgrade immediately?
Currently, disabling file uploads or implementing size restrictions manually can serve as a temporary workaround for CVE-2025-32952.
- agent/weakness
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/description
- agent/type
- agent/author
- agent/severity
- collector/nvd-api
- source/NVD
- collector/epss-latest
- source/FIRST
- agent/source
- agent/epss
- collector/nvd-cve
- agent/last-modified-date
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-f3gv-cwwh-758m
- alias/CVE-2025-32952
- agent/software-canonical-lookup
- agent/tags
- agent/event
- package-manager/maven