CUBA and JMIX Frameworks Affected by Critical File Handling Vulnerabilities

Publication date: 2025-04-23
TIPS

Haulmont's CUBA Platform and its successor JMIX, both popular Java-based frameworks for enterprise application development, have recently been the subject of several security advisories. These vulnerabilities primarily affect the file handling functionality and pose serious threats such as Remote Code Execution (RCE), Cross-Site Scripting (XSS), Denial of Service (DoS), and Path Traversal.

 

At BaseFortify.eu, we have published a complete breakdown of these issues in our CVE reports:

 

Summary of Vulnerabilities

    ❗ Affected Functionality: /files Endpoint and Local File Storage

 

Vulnerabilities Affecting Both JMIX and CUBA

1. XSS via the /files Endpoint

If an attacker uploads a file named malicious.html, the REST API may return this file with a Content-Type: text/html, enabling browser-based JavaScript execution. This can be used for phishing, data theft, or credential compromise—especially in environments where the API and UI are both exposed.

 

2. Denial of Service via Oversized File Uploads

Both platforms do not limit file sizes during upload. A malicious user could fill disk space and render the service inoperable with persistent HTTP 500 errors.

 

Affected Versions:

  • JMIX: 1.0.0 – 1.6.1, 2.0.0 – 2.3.4
  • CUBA: 6.2.0 – 7.2.22
  • CUBA REST API add-on: 7.1.1 – 7.2.6
  • CUBA JPA Web API add-on: 1.0.0 – 1.1.0

 

Vulnerability Exclusive to JMIX

3. Path Traversal via FileRef

Attackers with access to modify the fileRef parameter—either via the database or direct API access—can bypass file storage boundaries, accessing system files if permissions allow.

Affected Versions:

 

  • JMIX: 1.0.0 – 1.6.1, 2.0.0 – 2.3.4

 

Fixes and Workarounds

✅ Fixed in:

  • JMIX 1.6.2+ / 2.4.0+
  • CUBA 7.2.23+
  • CUBA REST API add-on 7.2.7+
  • CUBA JPA Web API add-on 1.1.1+

 

🛠️ Workarounds for Non-Upgradable Systems:

A. Mitigate Path Traversal in JMIX

Override the default LocalFileStorage with a secured version that ensures files remain within expected storage roots:

 

        @Primary 

        @Component 

        public class FixedLocalFileStorage extends LocalFileStorage {    

                // ... input stream logic ensuring path stays within root

        }

 

Add this to application.properties:

 

        jmix.core.exclude-beans=locfs_FileStorage

 

B. Disable /files Endpoint

JMIX (Spring Filter Bean):

 

        @Bean 

        public FilterRegistrationBean<BlockingFilter> restFilesBlockingFilter() {    

                // Blocks /rest/files

        }

 

CUBA (web.xml Filter Configuration):

 

        <filter-mapping>

               <filter-name>cuba_blocking_filter</filter-name>    

               <url-pattern>/rest/v2/files/*</url-pattern>

        </filter-mapping>

 

Include additional mappings if using legacy REST endpoints.

 

Developer Impact & Recommendations

While these vulnerabilities may require an authenticated context or specific permissions, many enterprise deployments grant broad access to REST APIs—especially during early development or internal usage. These flaws should not be underestimated.

If you're currently building or maintaining a CUBA or JMIX-based application:

 

  • Audit your file storage and access controls
  • Upgrade to the latest patched versions
  • Implement provided filters immediately if patching isn’t feasible
  • Use CVE monitoring tools, such as those built into BaseFortify, to stay ahead of future disclosures

 

How BaseFortify Helps

Our CVE match engine automatically checks your stack for known vulnerabilities, including:

 

    ✅ CUBA Platform
    ✅ JMIX
    ✅ Spring and Java dependencies
    ✅ CVE-to-component matching
    ✅ Real-time alerts and patch guidance

 

Try it free or get in touch for a tailored risk assessment.

 

Protect your platform. Secure your components. Stay ahead of exploits.
Visit BaseFortify.eu for more security advisories and mitigation tools.