CVE-2025-27553
Published: 23 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-27553 is a relative path traversal vulnerability in the FileObject API of Apache Commons VFS versions prior to 2.10.0. The 'resolveFile' method accepts a 'scope' parameter, where specifying NameScope.DESCENDENT is intended to throw an exception if the resolved file is not a descendant of the base file. However, when the path includes encoded ".." characters, such as "%2E%2E/bar.txt", the method can return file objects outside the base file's descendant hierarchy without raising an exception, enabling unauthorized file access.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By supplying a malicious path to the resolveFile method with the DESCENDENT scope, an unauthenticated adversary can traverse directory boundaries and access sensitive files outside the intended scope, resulting in high-impact confidentiality violations without affecting integrity or availability.
Apache recommends upgrading to Commons VFS version 2.10.0, which addresses the issue. Official advisories, including those from the Apache mailing lists, OSS-Security, and Debian LTS announcements, confirm the fix and urge affected users to update promptly.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated path traversal in public-facing file API enables initial access via public app exploitation (T1190) and direct unauthorized local file data access (T1005).