CVE-2025-53622
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dspace | dspace | 9.1 |
| dspace | dspace | 7.6.4 |
| dspace | dspace | 8.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53622 is a path traversal vulnerability in the DSpace repository software that occurs during the import of Simple Archive Format (SAF) packages. An attacker can craft a malicious SAF package where the 'contents' file includes relative path traversal sequences (like '../') that reference arbitrary system files readable by the Tomcat user running DSpace. When such a package is imported by an administrator via command-line or the Batch Import (Zip) UI, it can lead to unauthorized disclosure of sensitive files outside the intended import directory. The vulnerability arises from insufficient validation of file paths in SAF manifests, allowing file access outside the designated storage areas. The fix enforces strict validation to ensure all file paths remain within authorized directories, preventing traversal attacks. [7, 1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive files or configuration data from the server running DSpace. Specifically, if a malicious SAF package is imported by an administrator, it can expose arbitrary files readable by the Tomcat user, resulting in confidentiality loss. There is no impact on data integrity or significant availability impact. Exploitation requires administrative privileges and user interaction (an administrator must import the malicious package). Therefore, the main impact is sensitive information disclosure from the server. [7]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for attempts to import malicious SAF (Simple Archive Format) packages containing path traversal sequences in the 'contents' file. Since the vulnerability is exploited during SAF import by administrators, inspecting import logs for errors related to path validation failures or IOException thrown due to illegal file paths can help detect exploitation attempts. The patched DSpace versions include improved logging for illegal bitstream paths and path traversal attempts. Administrators can check DSpace logs for entries indicating path traversal validation errors. There are no specific network commands provided, but reviewing import activity and logs for suspicious SAF archive imports or errors related to path validation is recommended. [4, 5, 6, 7]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrading DSpace to versions 7.6.4, 8.2, or 9.1 where the vulnerability is fixed. 2) If upgrading is not immediately possible, manually patch the DSpace backend by applying the provided pull requests (#11036 for 7.x, #11037 for 8.x, #11038 for 9.0), then rebuild and redeploy DSpace and restart the server. 3) As a temporary workaround, carefully inspect any SAF archives from untrusted sources before importing, paying close attention to the 'contents' file to ensure it does not reference files outside the SAF package directory. Avoid importing large or untrusted SAF archives until patched. 4) Monitor logs for path validation errors to detect potential exploitation attempts. [1, 2, 3, 7]