GHSA-f3gv-cwwh-758m

Suggest an improvement
Source
https://github.com/advisories/GHSA-f3gv-cwwh-758m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-f3gv-cwwh-758m/GHSA-f3gv-cwwh-758m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-f3gv-cwwh-758m
Aliases
Related
Published
2025-04-22T16:55:41Z
Modified
2025-05-27T17:01:02Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage
Details

Impact

The local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service.

The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. Additionally, the /files endpoint in Jmix requires specific permissions and is disabled by default.

Patches

The problem has been fixed in Jmix 1.6.2+ and 2.4.0+.

Workarounds

A workaround for those who are unable to upgrade: Disable Files Endpoint in Jmix Application.

Database specific 
{
    "github_reviewed_at": "2025-04-22T16:55:41Z",
    "severity": "MODERATE",
    "nvd_published_at": "2025-04-22T18:16:00Z",
    "cwe_ids": [
        "CWE-770"
    ],
    "github_reviewed": true
}
References

Affected packages

Maven / io.jmix.localfs:jmix-localfs

Package

Name
io.jmix.localfs:jmix-localfs
View open source insights on deps.dev
Purl
pkg:maven/io.jmix.localfs/jmix-localfs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.6.2

Maven / io.jmix.localfs:jmix-localfs

Package

Name
io.jmix.localfs:jmix-localfs
View open source insights on deps.dev
Purl
pkg:maven/io.jmix.localfs/jmix-localfs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.4.0