CVE-2025-32951 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the jmix-framework, a set of libraries and tools designed to accelerate Spring Boot data-centric application development. The vulnerability exists in versions 1.0.0 through 1.6.1 and 2.0.0 through 2.3.4. The issue arises because the input parameter, which includes a file path and name, can be manipulated such that if the file name ends with the extension '.html', the server responds with a Content-Type header of 'text/html'. This behavior allows an attacker who has previously uploaded a malicious file to have their JavaScript code executed in the victim's browser when the file is accessed. The vulnerability requires that the attacker first upload a malicious HTML file, which means some level of prior access or functionality that allows file uploads is necessary. The vulnerability has been patched in versions 1.6.2 and 2.4.0 of the jmix framework. A documented workaround is also available on the Jmix website. The CVSS v3.1 base score is 6.4, indicating a medium severity. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), requires privileges (PR:L), no user interaction (UI:N), scope changed (S:C), with low impact on confidentiality and integrity, and no impact on availability. No known exploits are currently reported in the wild. This vulnerability could be exploited to execute arbitrary JavaScript in the context of the affected web application, potentially leading to session hijacking, defacement, or redirection to malicious sites.

For European organizations using the jmix framework in their Spring Boot applications, this vulnerability poses a risk of client-side code injection via malicious HTML files. The impact includes potential theft of user credentials, session tokens, or other sensitive information accessible through the browser, undermining user trust and potentially violating data protection regulations such as GDPR. Since the vulnerability requires prior file upload capability, organizations that expose file upload features without strict validation are at higher risk. Exploitation could lead to targeted attacks against users of affected applications, resulting in reputational damage and possible regulatory penalties. The scope of affected systems is limited to applications using vulnerable versions of jmix, but given the framework’s role in accelerating development, multiple enterprise applications across sectors such as finance, healthcare, and government could be impacted. The medium severity rating reflects the moderate ease of exploitation combined with the potential for significant confidentiality and integrity impacts. Availability is not affected, so denial-of-service is not a concern here.

Organizations should immediately upgrade all jmix framework instances to versions 1.6.2 or 2.4.0 or later, where the vulnerability is patched. Until upgrades can be performed, applying the official workaround from the Jmix documentation is critical. This may include disabling or restricting file upload functionality, validating file names and extensions rigorously, and ensuring that Content-Type headers are correctly set to prevent HTML content from being served when not intended. Implementing Content Security Policy (CSP) headers can help mitigate the impact of any injected scripts by restricting script execution sources. Additionally, web application firewalls (WAFs) should be configured to detect and block suspicious file uploads or requests attempting to exploit this vulnerability. Regular code reviews and security testing focusing on input validation and output encoding should be enforced. Monitoring logs for unusual file upload activity or access patterns to .html files can provide early detection of exploitation attempts. Finally, educating developers about secure file handling and the risks of improper content-type handling is recommended.