oss-sec mailing list archives

Severity: moderate

Affected versions:

- Apache Commons VFS before 2.10.0

Description:

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.

The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, 
which may include a password. The fix is to mask the password in the exception message
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

This issue is being tracked as VFS-169 

Credit:

Marek Šunda (finder)

References:

https://issues.apache.org/jira/browse/VFS-169
https://commons.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-30474
https://issues.apache.org/jira/browse/VFS-169

Current thread:

• CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message Gary D. Gregory (Mar 23)