CVE-2025-53622
📋 TL;DR
DSpace has a path traversal vulnerability in its Simple Archive Format (SAF) import functionality that allows attackers to read arbitrary files on the server when administrators import malicious archives. Only administrators can trigger this vulnerability by importing untrusted SAF packages. This affects DSpace versions prior to 7.6.4, 8.2, and 9.1.
💻 Affected Systems
- DSpace
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through disclosure of sensitive configuration files, credentials, or system files leading to further attacks.
Likely Case
Disclosure of sensitive DSpace configuration files, database credentials, or other application data stored on the server.
If Mitigated
No impact if administrators only import trusted, self-created archives or have patched the system.
🎯 Exploit Status
Exploitation requires social engineering or compromise of archive sources to trick administrators into importing malicious SAF packages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: DSpace 7.6.4, 8.2, and 9.1
Vendor Advisory: https://github.com/DSpace/DSpace/pull/11036
Restart Required: Yes
Instructions:
1. Upgrade to DSpace 7.6.4, 8.2, or 9.1. 2. Apply patches from GitHub pull requests #11036, #11037, #11038 for manual patching. 3. Restart Tomcat/application server.
🔧 Temporary Workarounds
Disable SAF Import
allTemporarily disable Simple Archive Format import functionality until patching is possible.
Remove or restrict access to import commands and web interface features
🧯 If You Can't Patch
- Implement strict policy requiring administrators to only import self-created SAF archives
- Manually inspect all contents files in SAF archives for path traversal sequences before import
🔍 How to Verify
Check if Vulnerable:
Check DSpace version: if running version older than 7.6.4, 8.2, or 9.1, system is vulnerable.Check Version:
Check DSpace version in web interface or run: ./dspace versionVerify Fix Applied:
After patching, test SAF import with a test archive containing path traversal sequences to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns during SAF imports
- Errors related to file not found outside archive directory
Network Indicators:
- Large data transfers during SAF import operations
SIEM Query:
Search for import operations accessing files outside expected archive directories🔗 References
- https://github.com/DSpace/DSpace/pull/11036
- https://github.com/DSpace/DSpace/pull/11036.patch
- https://github.com/DSpace/DSpace/pull/11037
- https://github.com/DSpace/DSpace/pull/11037.patch
- https://github.com/DSpace/DSpace/pull/11038
- https://github.com/DSpace/DSpace/pull/11038.patch
- https://github.com/DSpace/DSpace/security/advisories/GHSA-vhvx-8xgc-99wf
