CVE-2025-1584: 
Java vulnerability analysis and mitigation

A path traversal vulnerability was discovered in opensolon Solon versions up to 3.0.8, affecting the StaticMappings.java file in the solon-web-staticfiles component. The vulnerability was disclosed on February 23, 2025 and allows remote attackers to traverse directories using '../filedir' manipulation. The issue has been fixed in version 3.0.9 with patch f46e47fd1f8455b9467d7ead3cdb0509115b2ef1 (NVD, MITRE).

The vulnerability exists in the StaticMappings.java file located at solon-projects/solon-web/solon-web-staticfiles/src/main/java/org/noear/solon/web/staticfiles/. It has been assigned CVSS v4.0 score of 5.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N and CVSS v3.1 score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-23 (Relative Path Traversal) and CWE-24 (Path Traversal: '../filedir') (NVD).

The vulnerability allows remote attackers to access files outside of the intended directory structure through path traversal manipulation. This could potentially lead to unauthorized access to sensitive files on the system (NVD).

Users are recommended to upgrade to Solon version 3.0.9 which contains the fix for this vulnerability. The patch f46e47fd1f8455b9467d7ead3cdb0509115b2ef1 adds validation to prevent '../' path traversal attempts (GitHub Commit).