CVE-2025-13265 Overview
A path traversal vulnerability has been identified in lsfusion platform up to version 6.1. This vulnerability affects the unpackFile function within the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. Through manipulation of file paths during archive extraction, an attacker can traverse directory structures and potentially write files outside of the intended destination directory. This attack can be initiated remotely over the network.
Critical Impact
Remote attackers with low-level privileges can exploit this path traversal vulnerability to escape intended directory boundaries during ZIP file extraction, potentially overwriting critical system files or planting malicious content in sensitive locations.
Affected Products
- lsfusion lsfusion_platform (versions up to 6.1)
- lsfusion Platform server component
- Systems utilizing ZipUtils.java for file unpacking operations
Discovery Timeline
- 2025-11-17 - CVE-2025-13265 published to NVD
- 2025-12-01 - Last updated in NVD database
Technical Details for CVE-2025-13265
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw exists in the unpackFile function within the ZipUtils.java component of the lsfusion server. The vulnerable function fails to properly validate or sanitize file path entries contained within ZIP archives before extracting them to the file system.
When processing a maliciously crafted ZIP file, an attacker can include entries with relative path sequences (such as ../) that, when extracted, would place files outside the intended extraction directory. This is commonly referred to as a "Zip Slip" vulnerability. The network-accessible attack surface with low complexity requirements makes this vulnerability particularly concerning for exposed lsfusion deployments.
Root Cause
The root cause of this vulnerability lies in insufficient path validation within the unpackFile function. The function does not properly canonicalize or validate the destination path of extracted files against the intended extraction directory. When a ZIP archive entry contains path traversal sequences, the function processes these sequences literally, allowing file writes to arbitrary locations on the file system relative to the extraction point.
Attack Vector
The attack can be executed remotely over the network by an authenticated user with low-level privileges. The attacker would need to upload or supply a maliciously crafted ZIP archive to the lsfusion platform. When the platform processes this archive using the vulnerable unpackFile function in ZipUtils.java, the path traversal payload is executed, potentially allowing the attacker to:
- Overwrite configuration files to modify application behavior
- Plant malicious scripts or executables in accessible directories
- Overwrite log files to hide evidence of compromise
- Write to sensitive system directories if permissions allow
The vulnerability exploits the trust placed in file path entries within ZIP archives, where the application assumes entries are benign and extracts them without proper boundary validation.
Detection Methods for CVE-2025-13265
Indicators of Compromise
- Unexpected files appearing outside designated extraction directories
- ZIP archive uploads containing entries with ../ sequences or absolute paths
- Anomalous file system write operations from the lsfusion server process
- Modified configuration files or unexpected executables in application directories
Detection Strategies
- Monitor file system activity from the lsfusion server process for writes outside expected directories
- Implement file integrity monitoring on critical directories and configuration files
- Review access logs for ZIP file upload operations from suspicious sources
- Analyze uploaded ZIP archives for path traversal sequences in entry names
Monitoring Recommendations
- Enable detailed logging for file extraction operations within the lsfusion platform
- Configure alerts for file system modifications in sensitive directories by the application service account
- Monitor network traffic for large or unusual ZIP file uploads to the lsfusion server
- Implement runtime application self-protection (RASP) to detect path traversal attempts
How to Mitigate CVE-2025-13265
Immediate Actions Required
- Review and restrict file upload functionality on exposed lsfusion deployments
- Implement network segmentation to limit access to the lsfusion server
- Apply the principle of least privilege to the service account running the lsfusion server
- Monitor the GitHub Issue 1545 for official patch information
Patch Information
The vulnerability has been documented in GitHub Issue 1545 on the lsfusion platform repository. Organizations should monitor this issue and the official lsfusion release channels for a security patch addressing this path traversal vulnerability. Additional technical details are available through VulDB.
Workarounds
- Disable or restrict access to functionality that processes ZIP archives until a patch is available
- Implement a web application firewall (WAF) rule to inspect and reject ZIP files with path traversal sequences
- Add application-level validation to check extracted file paths before writing to disk
- Run the lsfusion server with restricted file system permissions to limit the impact of successful exploitation
- Use container isolation to restrict the server's file system access to designated volumes only
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
