CVE-2025-32952 is a medium severity vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the jmix-framework, a set of libraries and tools designed to accelerate Spring Boot data-centric application development. The vulnerability exists in the local file storage implementation of jmix versions 1.0.0 through 1.6.1 and 2.0.0 through 2.3.4. Specifically, the system does not impose any restrictions on the size of files uploaded by users. An attacker can exploit this by uploading excessively large files, which can exhaust the server's disk space. This resource exhaustion leads to server instability, causing HTTP 500 internal server errors and resulting in a denial of service (DoS) condition. The vulnerability does not impact confidentiality or integrity but severely affects availability. Exploitation requires network access and low privileges (PR:L), with no user interaction needed, making it relatively easy to exploit remotely. The issue has been addressed in versions 1.6.2 and 2.4.0 of jmix, and a workaround is documented on the official Jmix website. No known exploits are currently reported in the wild, but the vulnerability's nature suggests it could be leveraged for DoS attacks against affected services.

For European organizations using the jmix framework in the specified vulnerable versions, this vulnerability poses a significant risk to service availability. Since jmix is used to develop data-centric Spring Boot applications, many enterprise applications, internal tools, or customer-facing services could be impacted. An attacker uploading large files could cause server storage exhaustion, leading to application crashes or unresponsiveness, disrupting business operations and potentially causing financial and reputational damage. Organizations in sectors such as finance, healthcare, government, and e-commerce, which often rely on Spring Boot applications, may experience service outages. Additionally, the lack of confidentiality or integrity impact means data breaches are unlikely, but the denial of service could be leveraged as part of a broader attack campaign or to distract from other malicious activities. The medium CVSS score (6.5) reflects the moderate risk, primarily due to the ease of exploitation and the impact on availability.

European organizations should immediately assess their use of the jmix framework and identify any applications running vulnerable versions (>=1.0.0 and <1.6.2, or >=2.0.0 and <2.4.0). The primary mitigation is to upgrade to patched versions 1.6.2 or 2.4.0 as soon as possible. Until upgrades can be applied, organizations should implement strict file upload size limits at the application or web server level to prevent excessively large files from being accepted. Additionally, monitoring disk usage and setting alerts for abnormal increases can provide early warning signs of exploitation attempts. Implementing rate limiting and authentication controls on file upload endpoints can reduce the risk of abuse. Reviewing and applying the workaround provided in the official Jmix documentation is recommended. Finally, organizations should conduct penetration testing and code reviews to ensure no other resource exhaustion vulnerabilities exist in their customizations or integrations.