CVE-2025-14914
Path Traversal in IBM WebSphere Liberty Enables Code Execution
Publication date: 2026-02-02
Last updated on: 2026-02-12
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | websphere_application_server | From 17.0.0.3 (inc) to 26.0.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in IBM WebSphere Application Server Liberty (versions 17.0.0.3 through 26.0.0.1) allows a privileged user to upload a ZIP archive containing path traversal sequences. These sequences can overwrite files on the system, which can lead to arbitrary code execution. It occurs when the restConnector-1.0 or restConnector-2.0 feature is enabled and is classified as a path traversal vulnerability (CWE-22). [1]
How can this vulnerability impact me? :
The vulnerability can allow an attacker with high privileges to overwrite critical files by uploading specially crafted ZIP archives, potentially leading to arbitrary code execution. This means the attacker could execute malicious code on the affected system, compromising confidentiality, integrity, and availability of the system and its data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by verifying if the restConnector-1.0 or restConnector-2.0 features are enabled in your IBM WebSphere Application Server Liberty installation. IBM recommends following their guidance on determining Liberty features to check this. Specific commands are not provided in the resources, but typically, you would use Liberty server commands or configuration inspection to list enabled features and check for restConnector-1.0 or restConnector-2.0. [1]
What immediate steps should I take to mitigate this vulnerability?
IBM recommends remediation by applying the interim fix associated with APAR PH69485 or upgrading to Liberty Fix Pack 26.0.0.2 or later. No workarounds or mitigations are provided. It is advised to assess the impact of this vulnerability in your environment and apply the fixes as soon as they become available. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.