CVE-2025-13261 is a path traversal vulnerability identified in the lsfusion platform, specifically affecting versions 6.0 and 6.1. The flaw resides in the DownloadFileRequestHandler component, located in the source file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. The vulnerability arises when the 'Version' parameter is manipulated by an attacker to traverse directories outside the intended file path. This allows unauthorized access to files on the server that should otherwise be inaccessible. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it a significant risk. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality (VC:L), with no impact on integrity or availability. Although no active exploitation has been reported, a public exploit is available, which could facilitate attacks by malicious actors. The lack of patch links suggests that a fix may not yet be publicly released, emphasizing the need for immediate mitigation. The vulnerability could be leveraged to access sensitive configuration files, credentials, or other critical data stored on the server, potentially leading to further compromise or data leakage. Organizations using the affected lsfusion platform versions should assess their exposure and implement controls to prevent exploitation.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive information stored on servers running the vulnerable lsfusion platform versions 6.0 and 6.1. Given that the exploit requires no authentication and can be executed remotely, attackers could gain access to confidential files, potentially including intellectual property, personal data protected under GDPR, or critical business information. This could lead to regulatory penalties, reputational damage, and operational disruption. Industries such as finance, healthcare, government, and critical infrastructure that rely on lsfusion for business processes or data management are particularly at risk. The medium severity rating reflects the partial confidentiality impact without direct integrity or availability compromise; however, the exposure of sensitive data alone can have severe consequences. The availability of a public exploit increases the likelihood of exploitation attempts, especially by opportunistic attackers. European organizations must consider the risk of targeted attacks exploiting this vulnerability to gain footholds or escalate privileges within their networks.

1. Immediate mitigation should focus on input validation: implement strict sanitization and validation of the 'Version' parameter to prevent directory traversal sequences such as '../'. 2. Employ allowlisting of file paths or restrict file access to predefined directories to ensure that file downloads cannot escape intended boundaries. 3. Monitor web server logs and application logs for suspicious download requests that include path traversal patterns or unusual 'Version' parameter values. 4. If possible, apply vendor patches or updates as soon as they become available; maintain close communication with lsfusion support channels for official fixes. 5. Consider deploying Web Application Firewalls (WAFs) with rules designed to detect and block path traversal attempts targeting the DownloadFileRequestHandler endpoint. 6. Conduct internal audits of file permissions and server configurations to minimize exposure of sensitive files. 7. Educate development and operations teams about secure coding practices related to file handling and parameter validation to prevent similar vulnerabilities. 8. In the absence of patches, consider temporary workarounds such as disabling the vulnerable download functionality if it is not critical to operations.