CVE-2021-29425

MEDIUM

Apache Commons IO - Path Traversal via FileNameUtils.normalize

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-29425. PoCs published by shoucheng3, arsalanraja987.

AI-analyzed exploit summary This repository contains the Apache Commons IO source code with a focus on CVE-2021-29425, but lacks explicit exploit code. It includes documentation and build configurations, suggesting it is a technical analysis or patched version of the library.

Description

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Exploits (2)

nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/asf__commons-io_CVE-2021-29425_2-6

This repository contains the Apache Commons IO source code with a focus on CVE-2021-29425, but lacks explicit exploit code. It includes documentation and build configurations, suggesting it is a technical analysis or patched version of the library.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Apache Commons IO
No auth needed
Prerequisites: Access to vulnerable Apache Commons IO version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by arsalanraja987 · poc
https://github.com/arsalanraja987/java-cve-2021-29425-tika-xxe

This repository contains a functional PoC for CVE-2021-29425, demonstrating an XXE vulnerability in Apache Tika. It includes both vulnerable and safe parser implementations, showcasing the exploit and mitigation.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache Tika (versions affected by CVE-2021-29425)
No auth needed
Prerequisites: A maliciously crafted XML file (e.g., sample.svg)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (47)

Core 47
Core References
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://issues.apache.org/jira/browse/IO-556
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220210-0004/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 4.8
EPSS 0.0061
EPSS Percentile 70.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-22 CWE-20
Status published
Products (48)
apache/commons_io 2.2
apache/commons_io 2.3
apache/commons_io 2.4
apache/commons_io 2.5
apache/commons_io 2.6
com.cosium.vet/vet 1.0Maven
com.diamondq.common/common-thirdparty.jcasbin Maven
com.liferay/com.liferay.sass.compiler.jsass Maven
com.virjar/ratel-api 1.0.0Maven
commons-io/commons-io 0 - 2.7Maven
... and 38 more
Published Apr 13, 2021
Tracked Since Feb 18, 2026