CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-53622: DSpace has path traversal vulnerability in Simple Archive Format (SAF) package import via contents file

5.2 CVSS

Description

DSpace open source software is a repository application which provides durable access to digital resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. An attacker may craft a malicious Simple Archive Format (SAF) package where the `contents` file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). The fix is included in DSpace 7.6.4, 8.2 and 9.1. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. Although it is not possible to fully protect the system via workarounds, one may can apply a best practice. Administrators must care...

Classification

CVE ID: CVE-2025-53622

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected Products

Vendor: DSpace

Product: DSpace

References

https://nvd.nist.gov/vuln/detail/CVE-2025-53622
https://github.com/DSpace/DSpace/security/advisories/GHSA-vhvx-8xgc-99wf
https://github.com/DSpace/DSpace/pull/11036
https://github.com/DSpace/DSpace/pull/11036.patch
https://github.com/DSpace/DSpace/pull/11037
https://github.com/DSpace/DSpace/pull/11037.patch
https://github.com/DSpace/DSpace/pull/11038
https://github.com/DSpace/DSpace/pull/11038.patch

Timeline

2025-07-15 15:40:13 UTC
CVE

DSpace has path traversal vulnerability in Simple Archive Format (SAF) package import via contents file
2025-07-15 19:15:25 UTC
Github Advisory Database (Maven)

[org.dspace:dspace-api] DSpace is vulnerable to Path Traversal attacks when importing packages using Simple Archive Format