CVE-2025-32950: io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

April 22, 2025 (updated April 23, 2025)

Attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the /files endpoint of the generic REST API.

Arbitrary file reading on the operating system where the Jmix process is running.

The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. Additionally, the /files endpoint in Jmix requires specific permissions and is disabled by default.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-32950 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →