CVE-2025-32950 is a path traversal vulnerability affecting the Jmix framework, a set of libraries and tools designed to accelerate Spring Boot data-centric application development. The vulnerability exists in versions 1.0.0 through 1.6.1 and 2.0.0 through 2.3.4 of Jmix. It allows an attacker with at least limited privileges (PR:L) on the application server to manipulate the FileRef parameter, either by directly modifying the database or by supplying a crafted value to the fileRef parameter of the /files endpoint in the generic REST API. This manipulation enables unauthorized access to arbitrary files on the server's filesystem, provided the server process has the necessary file permissions. The vulnerability is classified under CWE-35 (Path Traversal) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), indicating that the application fails to properly sanitize or validate file path inputs, allowing traversal sequences such as '.../...//' to escape intended directories. The vulnerability does not require user interaction and has a CVSS 3.1 base score of 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). The issue has been patched in versions 1.6.2 and 2.4.0 of Jmix. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk due to the potential exposure of sensitive files on affected systems. A workaround is documented by the vendor to mitigate risk until patching is applied.

For European organizations using the Jmix framework within their Spring Boot applications, this vulnerability could lead to unauthorized disclosure of sensitive information stored on the application server. Since the attack allows reading arbitrary files, attackers could access configuration files, credentials, source code, or other sensitive data, potentially leading to further compromise or data breaches. The impact is particularly critical for sectors handling sensitive personal data under GDPR, such as healthcare, finance, and government services. Exposure of confidential data could result in regulatory penalties, reputational damage, and operational disruption. Additionally, since the vulnerability requires some level of privileges on the server, insider threats or attackers who have gained limited access could escalate their impact significantly. The lack of integrity and availability impact reduces the risk of direct service disruption, but confidentiality breaches alone are serious. The medium CVSS score reflects the balance between ease of exploitation (low complexity, network accessible) and the requirement for some privileges. European organizations relying on Jmix for rapid application development should prioritize patching to prevent data leakage and comply with data protection regulations.

1. Upgrade affected Jmix framework versions to 1.6.2 or 2.4.0 or later immediately to apply the official patch that addresses the path traversal vulnerability. 2. Until patching is possible, implement the vendor-provided workaround from the Jmix documentation, which may include input validation or filtering on the FileRef parameter and restricting access to the /files endpoint. 3. Restrict file system permissions of the application server process to the minimum necessary, ensuring it cannot read sensitive files outside intended directories. 4. Implement strict access controls and monitoring on the database to prevent unauthorized modification of the FileRef parameter values. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block path traversal patterns in HTTP requests targeting the /files endpoint. 6. Conduct regular security audits and code reviews focusing on input validation for file handling APIs. 7. Monitor application logs for suspicious access patterns or attempts to exploit the fileRef parameter. 8. Educate developers and administrators about secure coding practices and the risks of path traversal vulnerabilities to prevent recurrence.