CVE-2025-32952

Analyzed Analyzed - Analysis Complete

Jmix is a set of libraries and tools to speed

Publication date: 2025-04-22

Last updated on: 2025-12-31

Assigner: GitHub, Inc.

Description

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Affected Vendors & Products

Vendor	Product	Version
haulmont	cuba_platform	From 6.2.0 (inc) to 7.2.23 (exc)
haulmont	cuba_rest_api	From 7.1.1 (inc) to 7.2.7 (exc)
haulmont	jmix_framework	From 1.0.0 (inc) to 1.6.2 (exc)
haulmont	jmix_framework	From 2.0.0 (inc) to 2.4.0 (exc)
haulmont	jpa_web_api	From 1.0.0 (inc) to 1.1.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-770	The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

This vulnerability exists in Jmix’s local file storage implementation. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, there is no restriction on the size of uploaded files. An attacker can exploit this by uploading excessively large files that may exhaust the server's disk space, potentially triggering HTTP 500 errors and leading to a denial of service. The issue has been fixed in versions 1.6.2 and 2.4.0, with a workaround available on the Jmix documentation website. [1]

How can this vulnerability impact me?

If you are using an affected Jmix version, an attacker could exploit this vulnerability by uploading very large files without restrictions, which might exhaust available disk space on your server. This can cause the server to become unresponsive due to HTTP 500 errors, resulting in a denial of service and disruption of service availability. [1]

What immediate steps should I take to mitigate this vulnerability?

The immediate steps are to upgrade to the patched versions (1.6.2 for the 1.x branch or 2.4.0 for the 2.x branch). Alternatively, you can follow the workaround provided on the Jmix documentation website. [1, 2]

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

EPSS Chart

Meta Information

CVE Publication Date:

2025-04-22

CVE Last Modified Date:

2025-12-31

Report Generation Date:

2026-02-19

AI Powered Q&A Generation:

2025-04-23

EPSS Last Evaluated Date:

2026-02-18

NVD Report Link:

CVE-2025-32952