CVE-2025-32961: XSS in the /download Endpoint of the JPA Web API
(updated )
The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand.
The severity of the vulnerability is mitigated by the fact that the application UI and the JPA Web API are typically accessible only to authenticated users.
References
- docs.jmix.io/jmix/files-vulnerabilities.html
- docs.jmix.io/jmix/files-vulnerabilities.html
- github.com/advisories/GHSA-hg25-w3vg-7279
- github.com/cuba-platform/jpawebapi
- github.com/cuba-platform/jpawebapi/commit/78b837d7e2b12d0df69cef1bc6042ebf3bdaf22c
- github.com/cuba-platform/jpawebapi/security/advisories/GHSA-hg25-w3vg-7279
- github.com/jmix-framework/jmix/security/advisories/GHSA-x27v-f838-jh93
- nvd.nist.gov/vuln/detail/CVE-2025-32961
Code Behaviors & Features
Detect and mitigate CVE-2025-32961 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →