CVE-2025-13261: lsFusion Platform has Path Traversal vulnerability

November 17, 2025

A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

References

github.com/advisories/GHSA-5jpg-2rj5-964c
github.com/lsfusion/platform
github.com/lsfusion/platform/issues/1543
github.com/lsfusion/platform/issues/1543
nvd.nist.gov/vuln/detail/CVE-2025-13261
vuldb.com/?ctiid.332596
vuldb.com/?id.332596
vuldb.com/?submit.689412

Code Behaviors & Features

Detect and mitigate CVE-2025-13261 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →