DSpace up to 7.6.3/8.1/9.0 Import Command path traversal

Summaryinfo

A vulnerability was found in DSpace up to 7.6.3/8.1/9.0. It has been rated as critical. This vulnerability affects unknown code of the component Import Command Handler. Performing a manipulation results in path traversal. This vulnerability is reported as CVE-2025-53622. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability, which was classified as critical, was found in DSpace up to 7.6.3/8.1/9.0. This affects an unknown function of the component Import Command Handler. The manipulation with an unknown input leads to a path traversal vulnerability. CWE is classifying the issue as CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

DSpace open source software is a repository application which provides durable access to digital resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. An attacker may craft a malicious Simple Archive Format (SAF) package where the `contents` file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). The fix is included in DSpace 7.6.4, 8.2 and 9.1. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. Although it is not possible to fully protect the system via workarounds, one may can apply a best practice. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing, paying close attention to the `contents` file to validate it does not reference files outside of the SAF archives.

It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2025-53622 since 07/07/2025. The exploitability is told to be easy. It is possible to initiate the attack remotely. Additional levels of successful authentication are required for exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1006 according to MITRE ATT&CK.

Upgrading to version 7.6.4, 8.2 or 9.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-21448). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Name

• DSpace

Version

• 7.6.0
• 7.6.1
• 7.6.2
• 7.6.3
• 8.0
• 8.1
• 9.0

Website

• Product: https://github.com/DSpace/DSpace/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion