CVE-2025-27553
ADVISORY - githubSummary
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.
The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0.
Users are recommended to upgrade to version 2.10.0, which fixes the issue.
EPSS Score: 0.01277 (0.662)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Relative Path Traversal
ADVISORY - github
Relative Path Traversal
ADVISORY - gitlab
ADVISORY - redhat
Relative Path Traversal
NIST
CREATED
UPDATED
ADVISORY IDCVE-2025-27553
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
7.5highGitHub
CREATED
UPDATED
ADVISORY IDGHSA-9q4x-fr4m-jp86
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
7.5highDebian
CREATED
UPDATED
ADVISORY IDCVE-2025-27553
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2025-27553
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AmediumAmazon
CREATED
UPDATED
ADVISORY IDALAS2-2025-2842
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AmediumRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2025-27553
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.3mediumOracle
CREATED
UPDATED
ADVISORY IDELSA-2025-10548
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-