| Package | commons-vfs |
|---|---|
| Version | 2.1-2+deb10u1 (buster) |
| Related CVEs | CVE-2025-27553 |
A vulnerability was discovered in Apache Commons VFS, a Java API for accessing various filesystems.
CVE-2025-27553
A relative path traversal vulnerability was discovered in Apache Commons
VFS. The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that
"an exception is thrown if the resolved file is not a descendent of the
base file". But when a path contains encoded ".." characters (for example,
"%2E%2E/bar.txt"), it might return file objects that are not a descendent
of the base file, without throwing an exception.
For Debian 10 buster, these problems have been fixed in version 2.1-2+deb10u1.
We recommend that you upgrade your commons-vfs packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.