CVE-2025-32952: 
Java vulnerability analysis and mitigation

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. CVE-2025-32952 was discovered and disclosed on April 22, 2025, affecting versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4. The vulnerability exists in the local file storage implementation which does not restrict the size of uploaded files (Jmix Docs, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The local file storage implementation lacks restrictions on uploaded file sizes, making it vulnerable to exploitation (GitHub Advisory).

An attacker could exploit this vulnerability by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. The severity is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users, and the /files endpoint in Jmix requires specific permissions and is disabled by default (GitHub Advisory).

The vulnerability has been patched in versions 1.6.2 and 2.4.0. For users unable to upgrade immediately, a workaround is provided that involves disabling the /files REST endpoint to eliminate the attack vector. This can be implemented by creating a BlockingFilter class and configuring it in the application (Jmix Docs).