CVE-2025-13265: Lsfusion Platform Path Traversal Flaw

CVE-2025-13265 Overview

A path traversal vulnerability has been identified in lsfusion platform up to version 6.1. This vulnerability affects the unpackFile function within the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. Through manipulation of file paths during archive extraction, an attacker can traverse directory structures and potentially write files outside of the intended destination directory. This attack can be initiated remotely over the network.

Critical Impact
Remote attackers with low-level privileges can exploit this path traversal vulnerability to escape intended directory boundaries during ZIP file extraction, potentially overwriting critical system files or planting malicious content in sensitive locations.

Affected Products

lsfusion lsfusion_platform (versions up to 6.1)
lsfusion Platform server component
Systems utilizing ZipUtils.java for file unpacking operations

Discovery Timeline

2025-11-17 - CVE-2025-13265 published to NVD
2025-12-01 - Last updated in NVD database

Technical Details for CVE-2025-13265

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw exists in the unpackFile function within the ZipUtils.java component of the lsfusion server. The vulnerable function fails to properly validate or sanitize file path entries contained within ZIP archives before extracting them to the file system.

When processing a maliciously crafted ZIP file, an attacker can include entries with relative path sequences (such as ../) that, when extracted, would place files outside the intended extraction directory. This is commonly referred to as a "Zip Slip" vulnerability. The network-accessible attack surface with low complexity requirements makes this vulnerability particularly concerning for exposed lsfusion deployments.

Root Cause

The root cause of this vulnerability lies in insufficient path validation within the unpackFile function. The function does not properly canonicalize or validate the destination path of extracted files against the intended extraction directory. When a ZIP archive entry contains path traversal sequences, the function processes these sequences literally, allowing file writes to arbitrary locations on the file system relative to the extraction point.

Attack Vector

The attack can be executed remotely over the network by an authenticated user with low-level privileges. The attacker would need to upload or supply a maliciously crafted ZIP archive to the lsfusion platform. When the platform processes this archive using the vulnerable unpackFile function in ZipUtils.java, the path traversal payload is executed, potentially allowing the attacker to:

Overwrite configuration files to modify application behavior
Plant malicious scripts or executables in accessible directories
Overwrite log files to hide evidence of compromise
Write to sensitive system directories if permissions allow

The vulnerability exploits the trust placed in file path entries within ZIP archives, where the application assumes entries are benign and extracts them without proper boundary validation.

Detection Methods for CVE-2025-13265

Indicators of Compromise

Unexpected files appearing outside designated extraction directories
ZIP archive uploads containing entries with ../ sequences or absolute paths
Anomalous file system write operations from the lsfusion server process
Modified configuration files or unexpected executables in application directories

Detection Strategies

Monitor file system activity from the lsfusion server process for writes outside expected directories
Implement file integrity monitoring on critical directories and configuration files
Review access logs for ZIP file upload operations from suspicious sources
Analyze uploaded ZIP archives for path traversal sequences in entry names

Monitoring Recommendations

Enable detailed logging for file extraction operations within the lsfusion platform
Configure alerts for file system modifications in sensitive directories by the application service account
Monitor network traffic for large or unusual ZIP file uploads to the lsfusion server
Implement runtime application self-protection (RASP) to detect path traversal attempts

How to Mitigate CVE-2025-13265

Immediate Actions Required

Review and restrict file upload functionality on exposed lsfusion deployments
Implement network segmentation to limit access to the lsfusion server
Apply the principle of least privilege to the service account running the lsfusion server
Monitor the GitHub Issue 1545 for official patch information

Patch Information

The vulnerability has been documented in GitHub Issue 1545 on the lsfusion platform repository. Organizations should monitor this issue and the official lsfusion release channels for a security patch addressing this path traversal vulnerability. Additional technical details are available through VulDB.

Workarounds

Disable or restrict access to functionality that processes ZIP archives until a patch is available
Implement a web application firewall (WAF) rule to inspect and reject ZIP files with path traversal sequences
Add application-level validation to check extracted file paths before writing to disk
Run the lsfusion server with restricted file system permissions to limit the impact of successful exploitation
Use container isolation to restrict the server's file system access to designated volumes only