CVE-2025-32950— io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

CVSS 6.5 · Medium EPSS 0.51% · P67 Updated May 28, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-32950

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

Source: NVD (National Vulnerability Database)

Vulnerability Description

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

路径遍历：’…/…//’

Source: NVD (National Vulnerability Database)

Vulnerability Title

Jmix 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Jmix是Jmix公司的一组库和工具，用于加速 Spring Boot 以数据为中心的应用程序开发。 Jmix 1.0.0至1.6.1版本和2.0.0至2.3.4版本存在安全漏洞，该漏洞源于FileRef参数操作不当，可能导致文件访问。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
jmix-framework	jmix	>= 1.0.0, < 1.6.2	-

II. Public POCs for CVE-2025-32950

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-32950

请登录查看更多情报信息。

https://docs.jmix.io/jmix/files-vulnerabilities.htmlx_refsource_MISC
Path Traversal in Local File Storage · Advisory · jmix-framework/jmix · GitHubx_refsource_CONFIRM
Backport REST files fixes to 1.6 #3836 · jmix-framework/jmix@6a66aa3 · GitHubx_refsource_MISC
https://docs.jmix.io/jmix/files-vulnerabilities.html#fix-path-traversal-in-jmix-applicationx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2025-32950

Same Patch Batch · jmix-framework · 2025-04-22 · 3 CVEs total

CVE-2025-32952	6.5 MEDIUM	io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage
CVE-2025-32951	6.4 MEDIUM	io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API

IV. Related Vulnerabilities

Same product: jmix

Same vendor: jmix-framework

Same weakness: CWE-35

V. Comments for CVE-2025-32950

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-32950— io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

I. Basic Information for CVE-2025-32950

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-32950

III. Intelligence Information for CVE-2025-32950

Same Patch Batch · jmix-framework · 2025-04-22 · 3 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2025-32950

Leave a comment