Commons Vfs
CVE-2025-30474
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 512 maven packages depend on org.apache.commons:commons-vfs2 (92 direct, 420 indirect)
Ecosystem-wide dependent count for version 2.10.0.
DescriptionCVE.org
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.
The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0.
Users are recommended to upgrade to version 2.10.0, which fixes the issue.
AnalysisAI
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. Affected products include: Apache Commons Vfs. Version information: before 2.10.0..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Commons Vfs
View allSame weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today