CVE-2025-32950

Name of the Vulnerable Software and Affected Versions Jmix versions 1.0.0 through 1.6.1 Jmix versions 2.0.0 through 2.3.4

Description The issue allows attackers to manipulate the fileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the "/files" endpoint of the generic REST API.

Recommendations For versions 1.0.0 through 1.6.1, update to version 1.6.2. For versions 2.0.0 through 2.3.4, update to version 2.4.0. As a temporary workaround, consider restricting access to the /files endpoint of the generic REST API until a patch is available. Avoid using harmful values in the fileRef parameter until the issue is resolved.