CVE-2025-32952
Last modified
CVE-2025-32952 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. EPSS estimates a 0.56% chance of exploitation in the next 30 days.
Description
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Haulmont | Cuba Platform | >= 6.2.0, < 7.2.23 |
| Haulmont | Cuba Rest Api | >= 7.1.1, < 7.2.7 |
| Haulmont | Jmix Framework | >= 1.0.0, < 1.6.2 |
| Haulmont | Jmix Framework | >= 2.0.0, < 2.4.0 |
| Haulmont | Jpa Web Api | >= 1.0.0, < 1.1.1 |
References
- https://docs.jmix.io/jmix/files-vulnerabilities.htmlVendor Advisory
- https://github.com/jmix-framework/jmix/issues/3804Issue Tracking
- https://github.com/jmix-framework/jmix/issues/3836Issue Tracking
- https://github.com/jmix-framework/jmix/security/advisories/GHSA-f3gv-cwwh-758mPatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-32952?
How severe is CVE-2025-32952?
How do I fix CVE-2025-32952?
Are you affected by CVE-2025-32952?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST