CVE-2025-32961: XSS in the /download Endpoint of the JPA Web API

The vulnerability description indicates an XSS in the /download endpoint due to manipulation of the Content-Type header for files ending in .html. The provided commit 78b837d7e2b12d0df69cef1bc6042ebf3bdaf22c patches this vulnerability.

Analysis of the commit shows changes in RestFileDownloadController.java. The download method in this class is mapped to the /download request path. Prior to the patch, the decision to serve a file inline (potentially leading to XSS if it's an HTML file) or as an attachment was primarily controlled by a request parameter 'a': boolean attach = Boolean.valueOf(request.getParameter("a"));. If 'a' was not true, attach would be false, and the Content-Disposition would be set to inline. This allowed a malicious HTML file (previously uploaded) to be rendered by the browser if its name ended with .html, as the browser (or server) would infer/set Content-Type: text/html.

The patch introduces a new method resolveAttachmentValue which is called within the download method. This new method checks the file extension against a configurable allowlist (jpaWebApiConfig.getInlineEnabledFileExtensions()). If the file extension is not in this allowlist (e.g., .html), resolveAttachmentValue ensures that the file is served with Content-Disposition: attachment, thus mitigating the XSS.

Therefore, the com.haulmont.addon.jpawebapi.api.controller.RestFileDownloadController.download method was the vulnerable function as it handled the user request, processed the file, and, before the patch, incorrectly decided to serve potentially malicious HTML files inline based on insufficient criteria, leading to the XSS vulnerability described.