Vulnerability Description
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haulmont | Cuba Platform | >= 6.2.0, < 7.2.23 |
| Haulmont | Cuba Rest Api | >= 7.1.1, < 7.2.7 |
| Haulmont | Jmix Framework | >= 1.0.0, < 1.6.2 |
| Haulmont | Jpa Web Api | >= 1.0.0, < 1.1.1 |
Related Weaknesses (CWE)
References
- https://docs.jmix.io/jmix/files-vulnerabilities.htmlVendor Advisory
- https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-jVendor Advisory
- https://github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4Patch
- https://github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a62Patch
- https://github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc586616Patch
- https://github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540Patch
- https://github.com/jmix-framework/jmix/issues/3804Issue Tracking
- https://github.com/jmix-framework/jmix/issues/3836Issue Tracking
- https://github.com/jmix-framework/jmix/security/advisories/GHSA-x27v-f838-jh93PatchVendor Advisory
FAQ
What is CVE-2025-32951?
CVE-2025-32951 is a vulnerability with a CVSS score of 6.4 (MEDIUM). Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and...
How severe is CVE-2025-32951?
CVE-2025-32951 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-32951?
Check the references section above for vendor advisories and patch information. Affected products include: Haulmont Cuba Platform, Haulmont Cuba Rest Api, Haulmont Jmix Framework, Haulmont Jpa Web Api.