CVE-2025-5964: Path traversal in M-Files API

DESCRIPTION

A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.

AFFECTED PRODUCTS

M-Files Server before 25.6.14925.0

M-Files Server before 25.2 LTS SR1 (25.2.14524.9)

M-Files Server before 24.8 LTS SR4 (24.8.13981.16)

MORE INFORMATION

This vulnerability requires an authenticated user.

CVSS 4.0 CVSS-B Score: 8.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/RE:M/U:Green

CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CAPEC: CAPEC-126 Path Traversal

Internal ID: DXR-113

Alternate IDs: EUVD-2025-18348

Date issued: 2025-06-10

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: low – internally found

LINKS

https://www.cve.org/CVERecord?id=CVE-2025-5964

https://euvd.enisa.europa.eu/enisa/EUVD-2025-18348

HISTORY

2025-06-16 Published

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X