vulnerability

Amazon Linux AMI 2: CVE-2025-27553: Security patch for apache-commons-vfs (ALAS-2025-2842)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:C/I:N/A:N)	Mar 23, 2025	May 1, 2025	Jul 28, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Published

Mar 23, 2025

Added

May 1, 2025

Modified

Jul 28, 2025

Description

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.

The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of
the base file". However, when the path contains encoded ".."
characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not
a descendent of the base file, without throwing an exception.
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

Solutions

amazon-linux-ami-2-upgrade-apache-commons-vfsamazon-linux-ami-2-upgrade-apache-commons-vfs-antamazon-linux-ami-2-upgrade-apache-commons-vfs-examplesamazon-linux-ami-2-upgrade-apache-commons-vfs-javadoc

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today