CVE-2025-40592 | THREATINT

Description

A vulnerability has been identified in Mendix Studio Pro 10 (All versions < V10.23.0), Mendix Studio Pro 10.12 (All versions < V10.12.17), Mendix Studio Pro 10.18 (All versions < V10.18.7), Mendix Studio Pro 10.6 (All versions < V10.6.24), Mendix Studio Pro 11 (All versions), Mendix Studio Pro 8 (All versions < V8.18.35), Mendix Studio Pro 9 (All versions < V9.24.35). A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer’s project directory upon module installation.

Reserved 2025-04-16 | Published 2025-06-12 | Updated 2025-06-12 | Assigner siemens

MEDIUM: 6.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

MEDIUM: 4.6CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unknown

Any version before V10.23.0

affected

Default status

unknown

Any version before V10.12.17

affected

Default status

unknown

Any version before V10.18.7

affected

Default status

unknown

Any version before V10.6.24

affected

Default status

unknown

Any version before *

affected

Default status

unknown

Any version before V8.18.35

affected

Default status

unknown

Any version before V9.24.35

affected

References

cert-portal.siemens.com/productcert/html/ssa-627195.html

cve.org (CVE-2025-40592)

nvd.nist.gov (CVE-2025-40592)

Download JSON