DEBIAN-CVE-2025-27553

DEBIAN-CVE-2025-27553 PUBLISHED CVSS 7.5 HIGH

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:14	commons-vfs	0, 0
Debian:12	commons-vfs	2.1-4, 0, 2.1-4
Debian:11	commons-vfs	2.1-2, 2.1-2, 0
Debian:13	commons-vfs	0, 0

Timeline

Mar 23, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-27553 advisory

Open in Interactive Console →