CVE-2025-53622 (GCVE-0-2025-53622)
Vulnerability from cvelistv5 – Published: 2025-07-15 14:47 – Updated: 2025-07-15 15:47
VLAI?
Title
DSpace has path traversal vulnerability in Simple Archive Format (SAF) package import via contents file
Summary
DSpace open source software is a repository application which provides durable access to digital resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. An attacker may craft a malicious Simple Archive Format (SAF) package where the `contents` file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). The fix is included in DSpace 7.6.4, 8.2 and 9.1. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. Although it is not possible to fully protect the system via workarounds, one may can apply a best practice. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing, paying close attention to the `contents` file to validate it does not reference files outside of the SAF archives.
Severity ?
5.2 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T15:45:25.660140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T15:47:46.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DSpace",
"vendor": "DSpace",
"versions": [
{
"status": "affected",
"version": "\u003c 7.6.4"
},
{
"status": "affected",
"version": "\u003e= 8.0, \u003c 8.2"
},
{
"status": "affected",
"version": "\u003e= 9.0, \u003c 9.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DSpace open source software is a repository application which provides durable access to digital resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the \"Batch Import (Zip)\" user interface feature. An attacker may craft a malicious Simple Archive Format (SAF) package where the `contents` file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). The fix is included in DSpace 7.6.4, 8.2 and 9.1. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. Although it is not possible to fully protect the system via workarounds, one may can apply a best practice. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing, paying close attention to the `contents` file to validate it does not reference files outside of the SAF archives."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T14:47:45.342Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/DSpace/DSpace/security/advisories/GHSA-vhvx-8xgc-99wf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-vhvx-8xgc-99wf"
},
{
"name": "https://github.com/DSpace/DSpace/pull/11036",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DSpace/DSpace/pull/11036"
},
{
"name": "https://github.com/DSpace/DSpace/pull/11036.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DSpace/DSpace/pull/11036.patch"
},
{
"name": "https://github.com/DSpace/DSpace/pull/11037",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DSpace/DSpace/pull/11037"
},
{
"name": "https://github.com/DSpace/DSpace/pull/11037.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DSpace/DSpace/pull/11037.patch"
},
{
"name": "https://github.com/DSpace/DSpace/pull/11038",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DSpace/DSpace/pull/11038"
},
{
"name": "https://github.com/DSpace/DSpace/pull/11038.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DSpace/DSpace/pull/11038.patch"
}
],
"source": {
"advisory": "GHSA-vhvx-8xgc-99wf",
"discovery": "UNKNOWN"
},
"title": "DSpace has path traversal vulnerability in Simple Archive Format (SAF) package import via contents file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53622",
"datePublished": "2025-07-15T14:47:45.342Z",
"dateReserved": "2025-07-07T14:20:38.387Z",
"dateUpdated": "2025-07-15T15:47:46.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-53622\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-15T15:15:25.680\",\"lastModified\":\"2025-07-15T20:07:28.023\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DSpace open source software is a repository application which provides durable access to digital resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the \\\"Batch Import (Zip)\\\" user interface feature. An attacker may craft a malicious Simple Archive Format (SAF) package where the `contents` file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). The fix is included in DSpace 7.6.4, 8.2 and 9.1. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. Although it is not possible to fully protect the system via workarounds, one may can apply a best practice. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing, paying close attention to the `contents` file to validate it does not reference files outside of the SAF archives.\"},{\"lang\":\"es\",\"value\":\"El software de c\u00f3digo abierto DSpace es una aplicaci\u00f3n de repositorio que proporciona acceso duradero a recursos digitales. En versiones anteriores a la 7.6.4, 8.2 y 9.1, exist\u00eda una vulnerabilidad de path traversal durante la importaci\u00f3n de un archivo (en formato de archivo simple), ya sea desde la l\u00ednea de comandos (comando `./dspace import`) o desde la funci\u00f3n de interfaz de usuario \\\"Importaci\u00f3n por lotes (Zip)\\\". Un atacante podr\u00eda crear un paquete malicioso en formato de archivo simple (SAF) donde el archivo `contents` haga referencia a cualquier archivo del sistema (mediante secuencias de recorrido relativas) legible para el usuario de Tomcat. Si se importa dicho paquete, se divulgar\u00e1 contenido sensible, incluyendo la recuperaci\u00f3n de archivos o configuraciones arbitrarias del servidor donde se ejecuta DSpace. El importador de formato de archivo simple (SAF)/Importaci\u00f3n por lotes (Zip) solo puede ser utilizado por administradores del sitio (desde la interfaz de usuario/API REST) o administradores del sistema (desde la l\u00ednea de comandos). Por lo tanto, para explotar esta vulnerabilidad, el payload malicioso tendr\u00eda que ser proporcionado por un atacante y contar con la confianza de un administrador (quien activar\u00eda la importaci\u00f3n). La soluci\u00f3n est\u00e1 incluida en DSpace 7.6.4, 8.2 y 9.1. Quienes no puedan actualizar inmediatamente, pueden aplicar un parche manualmente al backend de DSpace (no es necesario modificar el frontend). Existe una solicitud de extracci\u00f3n que puede utilizarse para aplicar parches a sistemas que ejecutan DSpace 7.6.x, 8.x o 9.0. Aunque no es posible proteger completamente el sistema mediante soluciones alternativas, se puede aplicar una pr\u00e1ctica recomendada. Los administradores deben inspeccionar cuidadosamente cualquier archivo SAF (que no hayan creado ellos mismos) antes de importar, prestando especial atenci\u00f3n al archivo `contents` para verificar que no haga referencia a archivos externos a los archivos SAF.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L\",\"baseScore\":5.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/DSpace/DSpace/pull/11036\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/pull/11036.patch\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/pull/11037\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/pull/11037.patch\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/pull/11038\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/pull/11038.patch\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/DSpace/DSpace/security/advisories/GHSA-vhvx-8xgc-99wf\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53622\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-15T15:45:25.660140Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-15T15:47:36.280Z\"}}], \"cna\": {\"title\": \"DSpace has path traversal vulnerability in Simple Archive Format (SAF) package import via contents file\", \"source\": {\"advisory\": \"GHSA-vhvx-8xgc-99wf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"DSpace\", \"product\": \"DSpace\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 7.6.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 8.0, \u003c 8.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 9.0, \u003c 9.1\"}]}], \"references\": [{\"url\": \"https://github.com/DSpace/DSpace/security/advisories/GHSA-vhvx-8xgc-99wf\", \"name\": \"https://github.com/DSpace/DSpace/security/advisories/GHSA-vhvx-8xgc-99wf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/DSpace/DSpace/pull/11036\", \"name\": \"https://github.com/DSpace/DSpace/pull/11036\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/DSpace/DSpace/pull/11036.patch\", \"name\": \"https://github.com/DSpace/DSpace/pull/11036.patch\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/DSpace/DSpace/pull/11037\", \"name\": \"https://github.com/DSpace/DSpace/pull/11037\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/DSpace/DSpace/pull/11037.patch\", \"name\": \"https://github.com/DSpace/DSpace/pull/11037.patch\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/DSpace/DSpace/pull/11038\", \"name\": \"https://github.com/DSpace/DSpace/pull/11038\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/DSpace/DSpace/pull/11038.patch\", \"name\": \"https://github.com/DSpace/DSpace/pull/11038.patch\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"DSpace open source software is a repository application which provides durable access to digital resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the \\\"Batch Import (Zip)\\\" user interface feature. An attacker may craft a malicious Simple Archive Format (SAF) package where the `contents` file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). The fix is included in DSpace 7.6.4, 8.2 and 9.1. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. Although it is not possible to fully protect the system via workarounds, one may can apply a best practice. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing, paying close attention to the `contents` file to validate it does not reference files outside of the SAF archives.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-15T14:47:45.342Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-53622\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-15T15:47:46.242Z\", \"dateReserved\": \"2025-07-07T14:20:38.387Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-15T14:47:45.342Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…