CVE-2025-27553
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-27553
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-27553.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-27553
- Aliases
- Downstream
- Related
- Published
- 2025-03-23T15:15:13Z
- Modified
- 2025-09-06T13:01:25Z
- Summary
- [none]
- Details
-
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.
The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0.
Users are recommended to upgrade to version 2.10.0, which fixes the issue.
- References