CVE-2025-32951: io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API

April 22, 2025 (updated April 23, 2025)

The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand.

The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. Additionally, the /files endpoint in Jmix requires specific permissions and is disabled by default.

References

docs.jmix.io/jmix/files-vulnerabilities.html
docs.jmix.io/jmix/files-vulnerabilities.html
github.com/advisories/GHSA-x27v-f838-jh93
github.com/jmix-framework/jmix
github.com/jmix-framework/jmix/security/advisories/GHSA-x27v-f838-jh93
nvd.nist.gov/vuln/detail/CVE-2025-32951

Code Behaviors & Features

Detect and mitigate CVE-2025-32951 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →