CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.

The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

Classification

CVE ID: CVE-2025-30474

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: Apache Software Foundation

Product: Apache Commons VFS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 15.17% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30474
https://issues.apache.org/jira/browse/VFS-169
https://lists.apache.org/thread/w6ztgnbk6ccry3470x191g3xwrpgy6f4

Timeline

2025-03-23 15:40:20 UTC
CVE

Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message
2025-04-17 11:30:39 UTC
Tenable Plugins

Amazon Linux 2 : apache-commons-vfs (ALAS-2025-2819)