6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-32960

GHSA ID

GHSA-88h5-34xw-2q56

EPSS Score

0.18748%

CWE

CWE-79

Published

4/22/2025

Updated

4/23/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32960

CVE-2025-32960: XSS in the /files Endpoint of the Generic REST API

Impact

The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand.

The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users.

Patches

The problem has been fixed in CUBA REST API add-on 7.2.7.

Workarounds

A workaround for those who are unable to upgrade: Disable Files Endpoint in CUBA Application.

References

Files Functionality Vulnerabilities :: Jmix Documentation

(GitHub Advisory)

6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-32960

GHSA ID

GHSA-88h5-34xw-2q56

EPSS Score

0.18748%

CWE

CWE-79

Published

4/22/2025

Updated

4/23/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.haulmont.addon.restapi:restapi-rest-api	maven	< 7.2.7	7.2.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that the /files endpoint can be manipulated to return Content-Type: text/html if the filename ends with .html, leading to XSS. The provided commit b3d599f6657d7e212fdb134a61ab5e0888669eb1 patches this vulnerability.

The commit modifies FileDownloadController.java. Specifically, the downloadFile method is altered. A new method, resolveAttachmentValue, is introduced, and downloadFile now calls it to determine if a file should be served as an attachment or inline. The resolveAttachmentValue method checks the file extension against a configurable list of allowed inline extensions (inlineEnabledFileExtensions from RestApiConfig.java, also modified in the patch).

The downloadFile method is identified as the vulnerable function because it was the one directly responsible for serving the file and, prior to the patch, its logic for setting HTTP headers (like Content-Disposition and Content-Type) allowed HTML files to be rendered inline by the browser. The patch changes this behavior within downloadFile by incorporating the stricter logic from resolveAttachmentValue.

The other modified/added functions (resolveAttachmentValue in FileDownloadController.java and getInlineEnabledFileExtensions in RestApiConfig.java) are part of the mitigation, not the vulnerable code itself. The vulnerability existed in the downloadFile method's previous behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** input p*r*m*t*r, w*i** *onsists o* * *il* p*t* *n* n*m*, **n ** m*nipul*t** to r*turn t** *ont*nt-Typ* *****r wit* t*xt/*tml i* t** n*m* p*rt *n*s wit* .*tml. T*is *oul* *llow m*li*ious J*v*S*ript *o** to ** *x**ut** in t** *rows*r. *

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t t** `/*il*s` *n*point **n ** m*nipul*t** to r*turn `*ont*nt-Typ*: t*xt/*tml` i* t** *il*n*m* *n*s wit* `.*tml`, l***in* to XSS. T** provi*** *ommit `****************************************` p*t***s t*is vuln

6.4

Basic Information

Concerned about an active attack path?

CVE-2025-32960: XSS in the /files Endpoint of the Generic REST API

Impact

Patches

Workarounds

References

6.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI