CVE-2025-48382: Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates ...

Description

Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. This issue has been patched in version 14.19.2. A workaround for this issue involves ensuring local access to the environment running Fess is restricted to trusted users only.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0

1.2/10

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.13%

2.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-732

Affected Software

Vendor	Product	Versions
Codelibs	Fess	< 14.19.2

References

Timeline

Published: May 27, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-48382?

Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. This issue has been patched in version 14.19.2. A workaround for this issue involves ensuring local access to the environment running Fess is restricted to trusted users only.

How severe is CVE-2025-48382?

CVE-2025-48382 has a CVSS score of 1.2/10 (LOW severity). The EPSS model estimates a 0.13% probability of exploitation in the next 30 days.

How do I fix CVE-2025-48382?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.