CVE-2025-27553

Name of the Vulnerable Software and Affected Versions Apache Commons VFS versions prior to 2.10.0

Description The FileObject API in Commons VFS has a resolveFile method that takes a scope parameter. Specifying NameScope.DESCENDENT promises that an exception is thrown if the resolved file is not a descendent of the base file. However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception.

Recommendations For versions prior to 2.10.0, upgrade to version 2.10.0, which fixes the issue. As a temporary workaround, consider restricting the use of the resolveFile method with the NameScope.DESCENDENT scope to minimize the risk of exploitation. Avoid using encoded ".." characters in paths passed to the resolveFile method until the issue is resolved.