CVE-2025-32950 is a path traversal vulnerability affecting the Jmix framework, a set of libraries and tools designed to accelerate Spring Boot data-centric application development. The vulnerability exists in versions 1.0.0 through 1.6.1 and 2.0.0 through 2.3.4 of Jmix. It allows an attacker with at least low-level privileges (PR:L) on the application server to manipulate the FileRef parameter, either by directly modifying the database or by supplying a crafted value to the fileRef parameter in the `/files` endpoint of the generic REST API. This manipulation enables unauthorized access to arbitrary files on the underlying system where the Jmix application is deployed, assuming the application server has the necessary file system permissions. The vulnerability stems from insufficient validation and sanitization of the FileRef input, allowing path traversal sequences such as '.../...//' to bypass normal path restrictions and access files outside the intended directory scope. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The impact is primarily on confidentiality, as attackers can read sensitive files, but it does not affect integrity or availability. The issue has been addressed in patched versions 1.6.2 and 2.4.0 of Jmix. A documented workaround is also available on the Jmix website to mitigate risk until patching is possible. No known exploits are currently reported in the wild, but the medium CVSS score of 6.5 reflects the significant confidentiality impact combined with relatively easy exploitability given low privileges and no user interaction required.

For European organizations using Jmix framework versions prior to 1.6.2 or 2.4.0, this vulnerability poses a risk of unauthorized disclosure of sensitive files on their application servers. This could include configuration files, credentials, intellectual property, or personal data protected under GDPR. The confidentiality breach could lead to data leaks, regulatory penalties, and reputational damage. Since Jmix is used to accelerate Spring Boot application development, organizations in sectors such as finance, healthcare, and government that rely on custom data-centric applications may be particularly at risk. The vulnerability requires at least low-level privileges on the application server, which means that if an attacker can gain limited access (e.g., through another vulnerability or insider threat), they could escalate their impact by reading arbitrary files. The absence of integrity or availability impact reduces the risk of direct system disruption or data tampering, but the confidentiality breach alone is significant. Given the lack of known exploits in the wild, the threat is currently moderate but could increase if exploit code is developed. European organizations should prioritize patching to prevent potential data breaches and comply with data protection regulations.

1. Upgrade all Jmix framework instances to versions 1.6.2 or 2.4.0 or later as soon as possible to apply the official patch addressing this vulnerability. 2. Until patching is complete, implement the recommended workaround from the Jmix documentation, which may involve input validation or restricting access to the `/files` endpoint. 3. Restrict permissions of the application server process to the minimum necessary, especially limiting file system access to only required directories, to reduce the impact of potential path traversal. 4. Monitor application logs and REST API access patterns for suspicious requests targeting the `/files` endpoint or unusual FileRef parameter values indicative of path traversal attempts. 5. Conduct a thorough review of database entries for FileRef parameters to detect and remediate any malicious modifications. 6. Employ Web Application Firewalls (WAF) with custom rules to detect and block path traversal payloads targeting the vulnerable endpoints. 7. Enforce strict authentication and authorization controls on the REST API to limit access to trusted users and services only. 8. Regularly audit and update dependencies and frameworks to ensure timely application of security patches.