CVE-2025-40592 is a path traversal vulnerability identified in Siemens Mendix Studio Pro 10 and several other versions of Mendix Studio Pro (including versions 8, 9, 10, and 11). The vulnerability arises during the module installation process, where the software improperly limits pathname inputs when extracting zip archives. Specifically, a maliciously crafted module distributed, for example, via the Mendix Marketplace, can exploit this flaw to write or modify arbitrary files outside the intended project directory. This occurs because the path traversal allows directory traversal sequences (e.g., "../") within the zip archive to escape the restricted directory sandbox. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS 3.1 base score is 6.1, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N) shows that the attack can be performed remotely over the network without privileges but requires user interaction (installing the malicious module). The impact is high on integrity, as arbitrary files can be overwritten or created, potentially leading to code execution or tampering with project files, but there is no direct impact on confidentiality or availability. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable software boundary. No known exploits are currently in the wild, and no patches are linked yet, indicating that mitigation relies on cautious module installation and monitoring. This vulnerability affects all Mendix Studio Pro versions prior to the specified fixed versions (e.g., <10.23.0 for version 10).

For European organizations using Mendix Studio Pro for application development, this vulnerability poses a significant risk to the integrity of their development environments. An attacker distributing a malicious module could compromise project files or inject malicious code, potentially leading to compromised applications that are deployed to production. This could result in downstream security breaches, data integrity issues, and reputational damage. Since Mendix is widely used for rapid application development, especially in sectors like finance, manufacturing, and public services, the risk extends to critical business applications. The requirement for user interaction (module installation) means that social engineering or supply chain attacks targeting developers are likely attack vectors. The vulnerability does not directly impact confidentiality or availability but could indirectly lead to broader security incidents if exploited to insert backdoors or disrupt development workflows. The medium CVSS score reflects the moderate ease of exploitation combined with significant integrity impact. European organizations relying on Mendix Studio Pro should consider this vulnerability a priority to address to avoid potential compromise of their software supply chain and development integrity.

Restrict module installation to trusted sources only, such as verified modules from the official Mendix Marketplace with strong vetting processes. Implement strict code review and validation procedures for any third-party or internally developed Mendix modules before installation. Use sandboxing or isolated environments for module installation to prevent unauthorized file system modifications outside the project directory. Monitor file system changes in development environments for unexpected modifications outside project directories, using file integrity monitoring tools. Educate developers about the risks of installing untrusted modules and enforce policies requiring verification of module provenance. Apply updates and patches from Siemens Mendix Studio Pro as soon as they become available, prioritizing versions 10.23.0, 10.12.17, 10.18.7, 10.6.24, 8.18.35, and 9.24.35 or later. Consider network-level controls to restrict access to module distribution points and use endpoint protection to detect suspicious activity during module installation.