CVE-2025-34510

Name of the Vulnerable Software and Affected Versions Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4

Description A remote, authenticated attacker can exploit a Zip Slip vulnerability by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution. The issue affects the ability to securely handle ZIP archives, potentially leading to malicious code execution.

Recommendations For versions 9.0 through 9.3 and 10.0 through 10.4, consider disabling the ZIP upload feature until a patch is available to prevent exploitation of the Zip Slip vulnerability. Restrict access to the affected API endpoints related to file uploads to minimize the risk of exploitation. Avoid using the file upload parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.