CVE-2025-32951

Analyzed Analyzed - Analysis Complete

Jmix is a set of libraries and tools to speed

Publication date: 2025-04-22

Last updated on: 2025-12-31

Assigner: GitHub, Inc.

Description

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Affected Vendors & Products

Vendor	Product	Version
haulmont	cuba_platform	From 6.2.0 (inc) to 7.2.23 (exc)
haulmont	cuba_rest_api	From 7.1.1 (inc) to 7.2.7 (exc)
haulmont	jmix_framework	From 1.0.0 (inc) to 1.6.2 (exc)
haulmont	jmix_framework	From 2.0.0 (inc) to 2.4.0 (exc)
haulmont	jpa_web_api	From 1.0.0 (inc) to 1.1.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-79	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

The vulnerability affects Jmix versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4. It involves an input parameter that takes a file path and name. If the file name ends with .html, the application returns a Content-Type header of text/html. This manipulation can be exploited to execute malicious JavaScript in the browser if a malicious file has been uploaded previously. The issue has been patched in versions 1.6.2 and 2.4.0, and a workaround is available in the documentation. [1]

How can this vulnerability impact me?

If exploited, this vulnerability allows an attacker to alter the Content-Type header (specifically setting it to text/html) through a manipulated file path parameter, which enables the execution of malicious JavaScript in the browser. This could result in cross-site scripting (XSS) attacks, potentially leading to unauthorized actions such as session hijacking or the theft of sensitive information, provided that a malicious file is uploaded beforehand. [1]

What immediate steps should I take to mitigate this vulnerability?

Upgrade the affected Jmix components to the patched versions (1.6.2 or 2.4.0) as described in the CVE description. Additionally, consider applying the workaround provided on the Jmix documentation website and review the file upload functionalities to limit potential abuse. [1]

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

EPSS Chart

Meta Information

CVE Publication Date:

2025-04-22

CVE Last Modified Date:

2025-12-31

Report Generation Date:

2026-03-01

AI Powered Q&A Generation:

2025-04-23

EPSS Last Evaluated Date:

2026-02-28

NVD Report Link:

CVE-2025-32951