CVE-2025-32951 – io.jmix.rest:jmix-rest

Package

Manager: maven
Name: io.jmix.rest:jmix-rest
Vulnerable Version: >=1.0.0 <1.6.2 || >=2.0.0 <2.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00103 pctl0.28894

Details

io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API ### Impact The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. Additionally, the /files endpoint in Jmix requires specific permissions and is disabled by default. ### Patches The problem has been fixed in Jmix 1.6.2+ and 2.4.0+. ### Workarounds A workaround for those who are unable to upgrade: [Disable Files Endpoint in Jmix Application](https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-jmix-application).

Metadata

Created: 2025-04-22T16:55:13Z
Modified: 2025-05-27T17:19:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-x27v-f838-jh93/GHSA-x27v-f838-jh93.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-x27v-f838-jh93
Finding: F425
Auto approve: 1