CVE-2025-13262
Published: 17 November 2025
Summary
CVE-2025-13262 is a medium-severity Path Traversal (CWE-22) vulnerability in Lsfusion Lsfusion Platform. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-13262 is a path traversal vulnerability (CWE-22) in the lsfusion platform up to version 6.1. The flaw affects the UploadFileRequestHandler function in the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java, where manipulation of the 'sid' argument enables path traversal.
The vulnerability allows remote exploitation over the network with low attack complexity and no privileges required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, base score 7.3). Attackers can achieve low-level impacts on confidentiality, integrity, and availability.
Advisories reference GitHub issues at https://github.com/lsfusion/platform/issues/1544 and https://github.com/lsfusion/platform/issues/1544#issue-3589610731, along with VulDB entries at https://vuldb.com/?ctiid.332597, https://vuldb.com/?id.332597, and https://vuldb.com/?submit.689414. The exploit has been publicly disclosed and may be utilized.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-197756
Vulnerability details
A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java. Executing manipulation of the argument sid can lead to path traversal. The attack can be executed remotely. The…
more
exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in remote file upload handler of public-facing web application enables unauthenticated remote exploitation for arbitrary file placement.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs like the 'sid' argument in UploadFileRequestHandler to block path traversal sequences such as '../'.
Mandates timely identification, reporting, and correction of the specific path traversal flaw in the lsfusion platform up to version 6.1.
Enforces approved access authorizations to restrict file system operations by the upload handler to authorized paths only, mitigating unauthorized access via traversal.