oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-27553: Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT

From: "Gary D. Gregory" <ggregory () apache org>
Date: Sun, 23 Mar 2025 13:29:52 +0000
Severity: low

Affected versions:

- Apache Commons VFS before 2.10.0

Description:

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.

The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file 
is not a descendent of
the base file". However, when the path contains encoded ".."
characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not
a descendent of the base file, without throwing an exception.
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

Credit:

Arnout Engelen (finder)

References:

https://commons.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-27553
Previous By Date Next
Previous By Thread Next

Current thread: