CVE-2025-32950: CWE-35: Path Traversal: '.../...//' in jmix-framework jmix
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
AI Analysis
Technical Summary
CVE-2025-32950 is a path traversal vulnerability affecting the Jmix framework, a set of libraries and tools designed to accelerate Spring Boot data-centric application development. The vulnerability exists in versions 1.0.0 through 1.6.1 and 2.0.0 through 2.3.4 of Jmix. It allows an attacker with at least low-level privileges (PR:L) on the application server to manipulate the FileRef parameter, either by directly modifying the database or by supplying a crafted value to the fileRef parameter in the `/files` endpoint of the generic REST API. This manipulation enables unauthorized access to arbitrary files on the underlying system where the Jmix application is deployed, assuming the application server has the necessary file system permissions. The vulnerability stems from insufficient validation and sanitization of the FileRef input, allowing path traversal sequences such as '.../...//' to bypass normal path restrictions and access files outside the intended directory scope. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The impact is primarily on confidentiality, as attackers can read sensitive files, but it does not affect integrity or availability. The issue has been addressed in patched versions 1.6.2 and 2.4.0 of Jmix. A documented workaround is also available on the Jmix website to mitigate risk until patching is possible. No known exploits are currently reported in the wild, but the medium CVSS score of 6.5 reflects the significant confidentiality impact combined with relatively easy exploitability given low privileges and no user interaction required.
Potential Impact
For European organizations using Jmix framework versions prior to 1.6.2 or 2.4.0, this vulnerability poses a risk of unauthorized disclosure of sensitive files on their application servers. This could include configuration files, credentials, intellectual property, or personal data protected under GDPR. The confidentiality breach could lead to data leaks, regulatory penalties, and reputational damage. Since Jmix is used to accelerate Spring Boot application development, organizations in sectors such as finance, healthcare, and government that rely on custom data-centric applications may be particularly at risk. The vulnerability requires at least low-level privileges on the application server, which means that if an attacker can gain limited access (e.g., through another vulnerability or insider threat), they could escalate their impact by reading arbitrary files. The absence of integrity or availability impact reduces the risk of direct system disruption or data tampering, but the confidentiality breach alone is significant. Given the lack of known exploits in the wild, the threat is currently moderate but could increase if exploit code is developed. European organizations should prioritize patching to prevent potential data breaches and comply with data protection regulations.
Mitigation Recommendations
1. Upgrade all Jmix framework instances to versions 1.6.2 or 2.4.0 or later as soon as possible to apply the official patch addressing this vulnerability. 2. Until patching is complete, implement the recommended workaround from the Jmix documentation, which may involve input validation or restricting access to the `/files` endpoint. 3. Restrict permissions of the application server process to the minimum necessary, especially limiting file system access to only required directories, to reduce the impact of potential path traversal. 4. Monitor application logs and REST API access patterns for suspicious requests targeting the `/files` endpoint or unusual FileRef parameter values indicative of path traversal attempts. 5. Conduct a thorough review of database entries for FileRef parameters to detect and remediate any malicious modifications. 6. Employ Web Application Firewalls (WAF) with custom rules to detect and block path traversal payloads targeting the vulnerable endpoints. 7. Enforce strict authentication and authorization controls on the REST API to limit access to trusted users and services only. 8. Regularly audit and update dependencies and frameworks to ensure timely application of security patches.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Italy, Spain
CVE-2025-32950: CWE-35: Path Traversal: '.../...//' in jmix-framework jmix
Description
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
AI-Powered Analysis
Technical Analysis
CVE-2025-32950 is a path traversal vulnerability affecting the Jmix framework, a set of libraries and tools designed to accelerate Spring Boot data-centric application development. The vulnerability exists in versions 1.0.0 through 1.6.1 and 2.0.0 through 2.3.4 of Jmix. It allows an attacker with at least low-level privileges (PR:L) on the application server to manipulate the FileRef parameter, either by directly modifying the database or by supplying a crafted value to the fileRef parameter in the `/files` endpoint of the generic REST API. This manipulation enables unauthorized access to arbitrary files on the underlying system where the Jmix application is deployed, assuming the application server has the necessary file system permissions. The vulnerability stems from insufficient validation and sanitization of the FileRef input, allowing path traversal sequences such as '.../...//' to bypass normal path restrictions and access files outside the intended directory scope. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The impact is primarily on confidentiality, as attackers can read sensitive files, but it does not affect integrity or availability. The issue has been addressed in patched versions 1.6.2 and 2.4.0 of Jmix. A documented workaround is also available on the Jmix website to mitigate risk until patching is possible. No known exploits are currently reported in the wild, but the medium CVSS score of 6.5 reflects the significant confidentiality impact combined with relatively easy exploitability given low privileges and no user interaction required.
Potential Impact
For European organizations using Jmix framework versions prior to 1.6.2 or 2.4.0, this vulnerability poses a risk of unauthorized disclosure of sensitive files on their application servers. This could include configuration files, credentials, intellectual property, or personal data protected under GDPR. The confidentiality breach could lead to data leaks, regulatory penalties, and reputational damage. Since Jmix is used to accelerate Spring Boot application development, organizations in sectors such as finance, healthcare, and government that rely on custom data-centric applications may be particularly at risk. The vulnerability requires at least low-level privileges on the application server, which means that if an attacker can gain limited access (e.g., through another vulnerability or insider threat), they could escalate their impact by reading arbitrary files. The absence of integrity or availability impact reduces the risk of direct system disruption or data tampering, but the confidentiality breach alone is significant. Given the lack of known exploits in the wild, the threat is currently moderate but could increase if exploit code is developed. European organizations should prioritize patching to prevent potential data breaches and comply with data protection regulations.
Mitigation Recommendations
1. Upgrade all Jmix framework instances to versions 1.6.2 or 2.4.0 or later as soon as possible to apply the official patch addressing this vulnerability. 2. Until patching is complete, implement the recommended workaround from the Jmix documentation, which may involve input validation or restricting access to the `/files` endpoint. 3. Restrict permissions of the application server process to the minimum necessary, especially limiting file system access to only required directories, to reduce the impact of potential path traversal. 4. Monitor application logs and REST API access patterns for suspicious requests targeting the `/files` endpoint or unusual FileRef parameter values indicative of path traversal attempts. 5. Conduct a thorough review of database entries for FileRef parameters to detect and remediate any malicious modifications. 6. Employ Web Application Firewalls (WAF) with custom rules to detect and block path traversal payloads targeting the vulnerable endpoints. 7. Enforce strict authentication and authorization controls on the REST API to limit access to trusted users and services only. 8. Regularly audit and update dependencies and frameworks to ensure timely application of security patches.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-04-14T21:47:11.450Z
- Cisa Enriched
- true
Threat ID: 682d983ec4522896dcbf0190
Added to database: 5/21/2025, 9:09:18 AM
Last enriched: 6/9/2025, 1:17:55 PM
Last updated: 7/8/2025, 11:13:27 AM
Views: 6
Related Threats
CVE-2025-7207: Heap-based Buffer Overflow in mruby
MediumCVE-2025-4855: CWE-639 Authorization Bypass Through User-Controlled Key in Schiocco Support Board
CriticalCVE-2025-4828: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Schiocco Support Board
CriticalCVE-2025-3780: CWE-862 Missing Authorization in wclovers WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
MediumCVE-2025-7206: Stack-based Buffer Overflow in D-Link DIR-825
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.