DEBIAN-CVE-2025-30474

DEBIAN-CVE-2025-30474 PUBLISHED CVSS 5 MEDIUM

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.

Risk Scores

CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected Products

Vendor	Product	Versions
Debian:12	commons-vfs	0, 0
Debian:11	commons-vfs	0, 0
Debian:14	commons-vfs	0, 0
Debian:13	commons-vfs	0, 0

Timeline

Mar 23, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-30474 advisory

Open in Interactive Console →