CVE-2025-53622: DSpace is vulnerable to Path Traversal attacks when importing packages using Simple Archive Format

A path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (./dspace import command) or from the “Batch Import (Zip)” user interface feature. This vulnerability likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0.

An attacker may craft a malicious Simple Archive Format (SAF) package where the contents file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running.

The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import).

• The most severe practical impact is a case where an attacker obtains DSpace administrator credentials and uses the Batch Import feature with a malicious SAF archive to expose sensitive local files readable by the Tomcat user.
• An attacker without administrative credentials might use some other tactic to convince an administrator to import a malicious SAF archive they have supplied.