Apache Commons VFS <2.10 Unmasked Password Leak in FtpFileObject Exception
CVE-2025-30474 Published on March 23, 2025
Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.
The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message
This issue affects Apache Commons VFS: before 2.10.0.
Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Vulnerability Analysis
CVE-2025-30474 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2025-30474 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2025-30474
stack.watch emails you whenever new vulnerabilities are published in Apache Commons Vfs or Oracle. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Commons VFS:- Before 2.10.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.