CVE-2025-27553: Apache Commons VFS Has Relative Path Traversal Vulnerability

March 23, 2025 (updated April 3, 2025)

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.

The FileObject API in Commons VFS has a ‘resolveFile’ method that takes a ‘scope’ parameter. Specifying ‘NameScope.DESCENDENT’ promises that “an exception is thrown if the resolved file is not a descendent of the base file”. However, when the path contains encoded “..” characters (for example, “%2E%2E/bar.txt”), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-27553 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →