CVE-2025-53622

Name of the Vulnerable Software and Affected Versions DSpace versions prior to 7.6.4 DSpace versions prior to 8.2 DSpace versions prior to 9.1

Description DSpace is a repository application providing access to digital resources. A path traversal issue exists during the import of an archive in Simple Archive Format (SAF), accessible via the command-line (./dspace import command) or the "Batch Import (Zip)" user interface. An attacker can create a malicious SAF package where the contents file references system files using relative traversal sequences, potentially leading to the disclosure of sensitive content, including arbitrary files or configurations from the server. The SAF importer/Batch Import (Zip) feature is restricted to site and system administrators, requiring administrator trust and initiation of the import process to exploit this issue.

Recommendations Upgrade to DSpace version 7.6.4 or later. Upgrade to DSpace version 8.2 or later. Upgrade to DSpace version 9.1 or later. Administrators must carefully inspect any SAF archives they did not construct themselves before importing, paying close attention to the contents file to validate it does not reference files outside of the SAF archives.