CVE-2025-32952: io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage

April 22, 2025 (updated April 23, 2025)

The local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service.

The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. Additionally, the /files endpoint in Jmix requires specific permissions and is disabled by default.

References

docs.jmix.io/jmix/files-vulnerabilities.html
docs.jmix.io/jmix/files-vulnerabilities.html
github.com/advisories/GHSA-f3gv-cwwh-758m
github.com/jmix-framework/jmix
github.com/jmix-framework/jmix/security/advisories/GHSA-f3gv-cwwh-758m
nvd.nist.gov/vuln/detail/CVE-2025-32952

Code Behaviors & Features

Detect and mitigate CVE-2025-32952 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →