CVE-2025-27553 Information

Description

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.

The FileObject API in Commons VFS has a ‘resolveFile’ method that takes a ‘scope’ parameter. Specifying ‘NameScope.DESCENDENT’ promises that n exception is thrown if the resolved file is not a descendent of the base file. However when the path contains encoded ..\ncharacters (for example %2E%2E/bar.txt) it might return file objects that are not a descendent of the base file without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0 which fixes the issue.

Reference

http://www.openwall.com/lists/oss-security/2025/03/23/1 https://lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcb