CVE-2025-30474 – Apache Commons VFS versions before 2.10.0 can l... (How to Fix)

Q: What is the severity of CVE-2025-30474?

CVE-2025-30474 has a CVSS score of 5.0 (MEDIUM). Apache Commons VFS versions before 2.10.0 can leak FTP passwords in error messages when file operations fail. This occurs because the FtpFileObject class includes the full URI (including credentials) in exception messages. Any application using Apache Commons VFS for FTP operations with embedded credentials is affected.

📋 TL;DR

Apache Commons VFS versions before 2.10.0 can leak FTP passwords in error messages when file operations fail. This occurs because the FtpFileObject class includes the full URI (including credentials) in exception messages. Any application using Apache Commons VFS for FTP operations with embedded credentials is affected.

💻 Affected Systems

Products:

Apache Commons VFS

Versions: All versions before 2.10.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using FTP file operations with embedded credentials in URIs.

📦 What is this software?

Commons Vfs by Apache

View all CVEs affecting Commons Vfs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could obtain FTP credentials from error logs or application output, potentially gaining unauthorized access to FTP servers and sensitive data.

🟠

Likely Case

Credentials exposed in application logs accessible to administrators or developers, leading to credential harvesting if logs are not properly secured.

🟢

If Mitigated

With proper log sanitization and access controls, exposure is limited to authorized personnel only.

🌐 Internet-Facing: MEDIUM - Applications with internet-facing error reporting or debug endpoints could expose credentials.

🏢 Internal Only: LOW - Risk primarily limited to internal log exposure if proper access controls exist.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires triggering a file not found error on FTP operations.

Exploitation requires access to error messages or logs containing the exception.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.0

Vendor Advisory: https://lists.apache.org/thread/w6ztgnbk6ccry3470x191g3xwrpgy6f4

Restart Required: Yes

Instructions:

1. Identify applications using Apache Commons VFS. 2. Update dependency to version 2.10.0 or later. 3. Rebuild and redeploy applications. 4. Restart affected services.

🔧 Temporary Workarounds

Log sanitization

all

Configure application logging to filter or mask exception messages containing URIs.

Configure log4j/slf4j filters to redact patterns matching 'ftp://.*:.*@'

Disable detailed error messages

all

Configure applications to return generic error messages instead of detailed exceptions.

Set application error reporting to production mode

🧯 If You Can't Patch

Implement strict access controls on application logs and error reporting endpoints.
Use FTP connections without embedded credentials (e.g., external credential storage).

🔍 How to Verify

Check if Vulnerable:

Check Maven/Gradle dependencies or library versions for Apache Commons VFS < 2.10.0.

Check Version:

Check build configuration files (pom.xml, build.gradle) or run: java -cp commons-vfs2.jar org.apache.commons.vfs2.Version

Verify Fix Applied:

Verify Apache Commons VFS version is 2.10.0 or higher in dependencies.

📡 Detection & Monitoring

Log Indicators:

Exception messages containing 'ftp://' with password patterns
FtpFileObject exceptions in stack traces

Network Indicators:

Unusual FTP connection attempts following error conditions

SIEM Query:

source="application.logs" AND "ftp://*:*@*"

📊 Metadata

CVE ID: CVE-2025-30474

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-200

EPSS Score: 0.22% exploit probability (44.8th percentile)

Published: March 23, 2025

Last Updated: July 14, 2025

🔗 References

https://issues.apache.org/jira/browse/VFS-169 Issue Tracking,Patch
https://lists.apache.org/thread/w6ztgnbk6ccry3470x191g3xwrpgy6f4 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/23/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30474, you might also want to check these: