GHSA-w3mp-6vrj-875g

Source

https://github.com/advisories/GHSA-w3mp-6vrj-875g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-w3mp-6vrj-875g/GHSA-w3mp-6vrj-875g.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-w3mp-6vrj-875g

Aliases

CVE-2025-32959

Related

CVE-2025-32959

Published

2025-04-22T16:57:36Z

Modified

2025-04-23T15:21:19Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Cuba has a DoS in the File Storage

Details

Impact

The local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service.

The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users.

Patches

The problem has been fixed in CUBA 7.2.23.

Workarounds

A workaround for those who are unable to upgrade: Disable Files Endpoint in CUBA Application.

References

Files Functionality Vulnerabilities :: Jmix Documentation

Similar vulnerability in Jmix: DoS in the Local File Storage · Advisory · jmix-framework/jmix

Database specific

{
    "nvd_published_at": "2025-04-22T18:16:00Z",
    "github_reviewed_at": "2025-04-22T16:57:36Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "MODERATE"
}

References

Affected packages

Maven / com.haulmont.cuba:cuba-core

Package

Name: com.haulmont.cuba:cuba-core; View open source insights on deps.dev
Purl: pkg:maven/com.haulmont.cuba/cuba-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.2.23