CVE-2025-32950 Vulnerability Analysis & Exploit Details

CVE-2025-32950 Vulnerability Summary

CVE-2025-32950: Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.

CVE-2025-32950 References

External References

• https://docs.jmix.io/jmix/files-vulnerabilities.html
• https://docs.jmix.io/jmix/files-vulnerabilities.html#fix-path-traversal-in-jmix-application
• https://github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2
• https://github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6a
• https://github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37
• https://github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aa
• https://github.com/jmix-framework/jmix/issues/3804
• https://github.com/jmix-framework/jmix/issues/3836
• https://github.com/jmix-framework/jmix/security/advisories/GHSA-jx4g-3xqm-62vh

CWE Common Weakness Enumeration

Vulnerable Configurations

• cpe:2.3:a:haulmont:jmix_framework:1.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.0.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.0.3:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.0.3:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.1.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.1.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.1.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.1.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.1.2:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.1.2:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.1.3:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.1.3:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.2.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.2.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.2.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.2.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.2.3:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.2.3:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.2.4:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.2.4:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.3.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.3.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.3.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.3.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.3.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.3.2:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.3.3:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.3.3:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.3.4:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.3.4:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.3.5:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.4.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.4.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.4.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.4.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.4.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.4.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.4.2:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.4.2:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.4.3:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.4.3:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.4.4:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.4.4:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.5.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.5.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.5.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.5.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.5.0:rc2:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.5.0:rc2:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.5.0:rc3:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.5.0:rc3:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.5.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.5.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.5.2:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.5.2:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.5.3:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.5.3:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.5.4:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.5.4:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.5.5:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.5.5:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.6.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.6.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.6.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.6.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:1.6.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:1.6.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.0.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.0.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.0.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.0.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.0.0:rc2:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.0.0:rc2:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.0.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.0.2:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.0.2:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.1.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.1.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.1.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.1.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.1.2:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.1.2:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.1.3:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.1.3:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.2.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.2.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.2.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.2.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.2.3:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.2.3:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.3.0:-:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.3.0:-:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.3.0:rc1:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.3.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.3.1:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.3.2:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.3.3:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.3.3:*:*:*:*:*:*:*
• cpe:2.3:a:haulmont:jmix_framework:2.3.4:*:*:*:*:*:*:*
  cpe:2.3:a:haulmont:jmix_framework:2.3.4:*:*:*:*:*:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2026-23039 – In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect dr...
• CVE-2026-23038 – In the Linux kernel, the following vulnerability has been resolved: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() In nfs4_ff_a...
• CVE-2026-23037 – In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: allow partial RX URB allocation to succeed When es58x_alloc_...
• CVE-2026-23036 – In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before iget_failed() in btrfs_read_locked_inode() In btrf...
• CVE-2026-23035 – In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is ...