Vulnerability in library Apache Commons FileUpload - JMIX 2.6.1

luisgarciagarcia · September 10, 2025, 12:05pm

Dear JMIX team,

We received the following demand from our IT security team NVD - CVE-2025-48976

Description

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

We are using the version JMIX v2.6.1 and we found that we are using the Apache Commons Fileupload library 2.0.0 M1

Could you please be so kind to upgrade to 2.0.0-M4 in the next version?

Thank you!

krivopustov · September 10, 2025, 1:51pm

Hi,

Thank you for the report.
This dependency is brought by Vaadin and should be fixed when we update the Vaadin libraries in the next patch. See Update to the latest Vaadin 24.7.x · Issue #4695 · jmix-framework/jmix

Regards,
Konstantin