Vulnerability Details CVE-2025-27553
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.
The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of
the base file". However, when the path contains encoded ".."
characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not
a descendent of the base file, without throwing an exception.
This issue affects Apache Commons VFS: before 2.10.0.
Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 40.6%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2025-27553
-
cpe:2.3:a:apache:commons_vfs:-
-
cpe:2.3:a:apache:commons_vfs:1.0
-
cpe:2.3:a:apache:commons_vfs:2.0
-
cpe:2.3:a:apache:commons_vfs:2.1
-
cpe:2.3:a:apache:commons_vfs:2.2
-
cpe:2.3:a:apache:commons_vfs:2.3
-
cpe:2.3:a:apache:commons_vfs:2.4
-
cpe:2.3:a:apache:commons_vfs:2.4.1
-
cpe:2.3:a:apache:commons_vfs:2.5.0
-
cpe:2.3:a:apache:commons_vfs:2.6.0
-
cpe:2.3:a:apache:commons_vfs:2.7.0
-
cpe:2.3:a:apache:commons_vfs:2.8.0
-
cpe:2.3:a:apache:commons_vfs:2.9.0