CVE-2025-14914
Unknown Unknown - Not Provided
Path Traversal in IBM WebSphere Liberty Enables Code Execution

Publication date: 2026-02-02

Last updated on: 2026-02-12

Assigner: IBM Corporation

Description
IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14914
EUVD
EUVD-2025-206602
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ibm websphere_application_server From 17.0.0.3 (inc) to 26.0.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in IBM WebSphere Application Server Liberty (versions 17.0.0.3 through 26.0.0.1) allows a privileged user to upload a ZIP archive containing path traversal sequences. These sequences can overwrite files on the system, which can lead to arbitrary code execution. It occurs when the restConnector-1.0 or restConnector-2.0 feature is enabled and is classified as a path traversal vulnerability (CWE-22). [1]

Impact Analysis

The vulnerability can allow an attacker with high privileges to overwrite critical files by uploading specially crafted ZIP archives, potentially leading to arbitrary code execution. This means the attacker could execute malicious code on the affected system, compromising confidentiality, integrity, and availability of the system and its data. [1]

Detection Guidance

You can detect this vulnerability by verifying if the restConnector-1.0 or restConnector-2.0 features are enabled in your IBM WebSphere Application Server Liberty installation. IBM recommends following their guidance on determining Liberty features to check this. Specific commands are not provided in the resources, but typically, you would use Liberty server commands or configuration inspection to list enabled features and check for restConnector-1.0 or restConnector-2.0. [1]

Mitigation Strategies

IBM recommends remediation by applying the interim fix associated with APAR PH69485 or upgrading to Liberty Fix Pack 26.0.0.2 or later. No workarounds or mitigations are provided. It is advised to assess the impact of this vulnerability in your environment and apply the fixes as soon as they become available. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14914. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart