CVE-2025-40592

Summary

A vulnerability has been identified in Mendix Studio Pro 10 (All versions < V10.23.0), Mendix Studio Pro 10.12 (All versions < V10.12.17), Mendix Studio Pro 10.18 (All versions < V10.18.7), Mendix Studio Pro 10.6 (All versions < V10.6.24), Mendix Studio Pro 11 (All versions < V11.0.0), Mendix Studio Pro 8 (All versions < V8.18.35), Mendix Studio Pro 9 (All versions < V9.24.35). A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer’s project directory upon module installation.

Affected Software

VendorProductVersion RangeStatus
SiemensMendix Studio Pro 100 < V10.23.0affected
SiemensMendix Studio Pro 10.120 < V10.12.17affected
SiemensMendix Studio Pro 10.180 < V10.18.7affected
SiemensMendix Studio Pro 10.60 < V10.6.24affected
SiemensMendix Studio Pro 110 < V11.0.0affected
SiemensMendix Studio Pro 80 < V8.18.35affected
SiemensMendix Studio Pro 90 < V9.24.35affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References