CVE-2025-32951

Source
https://cve.org/CVERecord?id=CVE-2025-32951
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32951.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32951
Aliases
Published
2025-04-22T17:32:23.401Z
Modified
2026-04-12T16:10:18.132008Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API
Details

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32951.json"
}
References

Affected packages

Git / github.com/cuba-platform/cuba

Affected ranges

Type
GIT
Repo
https://github.com/cuba-platform/cuba
Events
Database specific
{
    "versions": [
        {
            "introduced": "6.2.0"
        },
        {
            "fixed": "7.2.23"
        },
        {
            "introduced": "7.1.1"
        },
        {
            "fixed": "7.2.7"
        }
    ]
}

Database specific

vanir_signatures
[
    {
        "id": "CVE-2025-32951-03606b61",
        "target": {
            "function": "saveStream",
            "file": "modules/core/src/com/haulmont/cuba/core/app/filestorage/FileStorage.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/cuba-platform/cuba/commit/42b6c00fd0572b8e52ae31afd1babc827a3161a1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "154094281552645561377766846870311210537",
            "length": 1480.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32951-29ffb964",
        "target": {
            "function": "collapseItemInTree",
            "file": "modules/web/src/com/haulmont/cuba/web/app/folders/CubaFoldersPane.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/cuba-platform/cuba/commit/abd9e244c75e57c4dedda9dee94625e04c7e9605",
        "signature_type": "Function",
        "digest": {
            "function_hash": "230535455277896422540158206117462863579",
            "length": 722.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32951-45938e32",
        "target": {
            "file": "modules/web/src/com/haulmont/cuba/web/app/folders/CubaFoldersPane.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/cuba-platform/cuba/commit/abd9e244c75e57c4dedda9dee94625e04c7e9605",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "3348785445997819084761661782674318438",
                "196703582338271254139492723554570091891",
                "220367452012091088272919726072403128360",
                "128557132315888582509965673859041750684",
                "124818379764213729413155514360571321701",
                "64022490943678785288107327486887085271",
                "150008414564908546796972801394776822050",
                "49905986746914357336787574030963635708",
                "241558133520366660567415788332851198782",
                "71682055869131884205275963181184512129",
                "22004011759052136753874933289570394301"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32951-9bf1e190",
        "target": {
            "file": "modules/core/src/com/haulmont/cuba/core/app/ServerConfig.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/cuba-platform/cuba/commit/42b6c00fd0572b8e52ae31afd1babc827a3161a1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "85516700792758930825590373984692801643",
                "110038988501292467352891284695743981511",
                "240740207134093667813046071575955070107",
                "190201739922301247280384152234658188356",
                "153953561482474271954095220872426115230",
                "318283804821084998643334262971990067035",
                "93889483484373201680576286636251137988",
                "160878521615346697613443191163184051177",
                "79937744922200117699829157182311109448",
                "55085444238556529549131815020773098873",
                "260700480681005811560909012912728624057",
                "265000308277612675308238222873266213696",
                "76127233378353261750961425865708810780"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32951-a91835e8",
        "target": {
            "file": "modules/core/src/com/haulmont/cuba/core/app/filestorage/FileStorage.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/cuba-platform/cuba/commit/42b6c00fd0572b8e52ae31afd1babc827a3161a1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "105377438641820252801035230913176238884",
                "109320632837622641046056041512613162667",
                "20925278502916451922664718368765028707",
                "201169683846923176807712341669348993805",
                "113851231452732460528306130170237831865",
                "142781833362797574576531627533472138945",
                "282438525334130075113529403023544374302",
                "176189880099362834086192505201080294328"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    }
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32951.json"
vanir_signatures_modified
"2026-04-12T16:10:18Z"

Git / github.com/jmix-framework/jmix

Affected ranges

Type
GIT
Repo
https://github.com/jmix-framework/jmix
Events
Database specific
{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "1.6.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/jmix-framework/jmix
Events
Database specific
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.4.0"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32951.json"