CVE-2025-13265 - Vulnerability Details

A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. This manipulation causes path traversal. It is possible to initiate the attack remotely.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Lsfusion Subscribe	Lsfusion Platform Subscribe Platform Subscribe

Configuration 1 [-]

cpe:2.3:a:lsfusion:lsfusion_platform:*:*:*:*:*:*:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Lsfusion Subscribe	Platform Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-8wf8-frjg-xv74	lsFusion Server is vulnerable to Path Traversal through its unpackFile function

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/lsfusion/platform/issues/1545
https://vuldb.com/?ctiid.332600
https://vuldb.com/?id.332600
https://vuldb.com/?submit.689427

History

Mon, 01 Dec 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lsfusion lsfusion Platform
CPEs	cpe:2.3:a:lsfusion:platform::::::::	cpe:2.3:a:lsfusion:lsfusion_platform::::::::
Vendors & Products		Lsfusion lsfusion Platform

Fri, 28 Nov 2025 17:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:isfusion:platform::::::::	cpe:2.3:a:lsfusion:platform::::::::
Vendors & Products	Isfusion Isfusion platform

Tue, 25 Nov 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Isfusion Isfusion platform
CPEs		cpe:2.3:a:isfusion:platform::::::::
Vendors & Products		Isfusion Isfusion platform

Mon, 17 Nov 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 17 Nov 2025 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lsfusion Lsfusion platform
Vendors & Products		Lsfusion Lsfusion platform

Mon, 17 Nov 2025 05:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. This manipulation causes path traversal. It is possible to initiate the attack remotely.
Title		lsfusion platform ZipUtils.java unpackFile path traversal
Weaknesses		CWE-22
References		https://github.com/lsfusion/platform/issues/1545 https://vuldb.com/?ctiid.332600 https://vuldb.com/?id.332600 https://vuldb.com/?submit.689427
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2025-11-17T05:32:05.557Z

Updated: 2025-11-17T16:58:09.861Z

Reserved: 2025-11-16T15:33:22.440Z

Link: CVE-2025-13265

Vulnrichment

Updated: 2025-11-17T16:58:06.073Z

NVD

Status : Analyzed

Published: 2025-11-17T06:15:43.143

Modified: 2025-12-01T15:33:55.743

Link: CVE-2025-13265

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-11-17T10:09:17Z

Weaknesses

CWE-22

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object