Vulnerability DatabaseCVE-2025-27553
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-27553
March 23, 2025
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Affected Packages
org.apache.commons:commons-vfs2 (JAVA):
Affected version(s) >=2.0 <2.10.0
Fix Suggestion:
Update to version 2.10.0
Related Resources (5)
https://lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcb
https://github.com/apache/commons-vfs
http://www.openwall.com/lists/oss-security/2025/03/23/1
https://lists.debian.org/debian-lts-announce/2025/04/msg00006.html
https://nvd.nist.gov/vuln/detail/CVE-2025-27553
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Relative Path Traversal
CWE-23
EPSS
Base Score:
0.36