Skip to content

IBM WebSphere Application Server Liberty is affected by a remote code execution vulnerability (CVE-2025-14914 CVSS 7.6) #33927

@idlewis

Description

@idlewis

Liberty's file transfer API (part of the restConnector feature) can be used to send a compressed zip archive to a Liberty server. The Liberty server can then extract the archive if sent with a query parameter of expandOnCompletion=true. Liberty doesn't check for relative paths inside the archive, which can result in Liberty writing files to the local file system that are outside the configured writeable path

Steps to Reproduce
Enable the restConnector feature.
Configure a writable directory.
Send a zip file containing a relative path such as ../../../etc/passwd to the server using file transfer API, and set a parameter of expandOnCompletion=true

Expected behavior
The server should not expand the archive, and return an error instead

Diagnostic information:
Affects all Liberty versions

Metadata

Metadata

Assignees

Labels

release bugThis bug is present in a released version of Open Libertyrelease:26002

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions