CVE-2025-30474: Apache Commons VFS Exposure of Sensitive Information to an Unauthorized Actor

March 23, 2025 (updated March 25, 2025)

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.

The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

References

github.com/advisories/GHSA-3936-3gx6-49c4
github.com/apache/commons-vfs
issues.apache.org/jira/browse/VFS-169
lists.apache.org/thread/w6ztgnbk6ccry3470x191g3xwrpgy6f4
nvd.nist.gov/vuln/detail/CVE-2025-30474

Code Behaviors & Features

Detect and mitigate CVE-2025-30474 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →