oss-security - CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <6167946a-2516-e021-45a8-f903b72d4508@apache.org>
Date: Sun, 23 Mar 2025 13:30:23 +0000
From: "Gary D. Gregory" <ggregory@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file
 can reveal the URI's password in an error message 

Severity: moderate

Affected versions:

- Apache Commons VFS before 2.10.0

Description:

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.

The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

This issue is being tracked as VFS-169 

Credit:

Marek Šunda (finder)

References:

https://issues.apache.org/jira/browse/VFS-169
https://commons.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-30474
https://issues.apache.org/jira/browse/VFS-169

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.